Re: [PATCH for-rc] RDMA/srpt: Fix UAF when srpt_add_one() failed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Junxian Huang <huangjunxian6@hisilicon.com>
Cc: jgg@ziepe.ca, bvanassche@acm.org, nab@risingtidesystems.com,
	linux-rdma@vger.kernel.org, linuxarm@huawei.com,
	linux-kernel@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH for-rc] RDMA/srpt: Fix UAF when srpt_add_one() failed
Date: Thu, 1 Aug 2024 14:30:55 +0300	[thread overview]
Message-ID: <20240801113055.GH4209@unreal> (raw)
In-Reply-To: <bcbc57ba-3e54-cfe5-60b8-8f3990f40000@hisilicon.com>

On Thu, Aug 01, 2024 at 07:02:41PM +0800, Junxian Huang wrote:
> 
> 
> On 2024/8/1 18:37, Leon Romanovsky wrote:
> > On Thu, Aug 01, 2024 at 03:44:15PM +0800, Junxian Huang wrote:
> >> Currently cancel_work_sync() is not called when srpt_refresh_port()
> >> failed in srpt_add_one(). There is a probability that sdev has been
> >> freed while the previously initiated sport->work is still running,
> >> leading to a UAF as the log below:
> >>
> >> [  T880] ib_srpt MAD registration failed for hns_1-1.
> >> [  T880] ib_srpt srpt_add_one(hns_1) failed.
> >> [  T376] Unable to handle kernel paging request at virtual address 0000000000010008
> >> ...
> >> [  T376] Workqueue: events srpt_refresh_port_work [ib_srpt]
> >> ...
> >> [  T376] Call trace:
> >> [  T376]  srpt_refresh_port+0x94/0x264 [ib_srpt]
> >> [  T376]  srpt_refresh_port_work+0x1c/0x2c [ib_srpt]
> >> [  T376]  process_one_work+0x1d8/0x4cc
> >> [  T376]  worker_thread+0x158/0x410
> >> [  T376]  kthread+0x108/0x13c
> >> [  T376]  ret_from_fork+0x10/0x18
> >>
> >> Add cancel_work_sync() to the exception branch to fix this UAF.
> >>
> >> Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
> >> Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
> >> ---
> >>  drivers/infiniband/ulp/srpt/ib_srpt.c | 5 +++--
> >>  1 file changed, 3 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
> >> index 9632afbd727b..244e5c115bf7 100644
> >> --- a/drivers/infiniband/ulp/srpt/ib_srpt.c
> >> +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
> >> @@ -3148,8 +3148,8 @@ static int srpt_add_one(struct ib_device *device)
> >>  {
> >>  	struct srpt_device *sdev;
> >>  	struct srpt_port *sport;
> >> +	u32 i, j;
> >>  	int ret;
> >> -	u32 i;
> >>  
> >>  	pr_debug("device = %p\n", device);
> >>  
> >> @@ -3226,7 +3226,6 @@ static int srpt_add_one(struct ib_device *device)
> >>  		if (ret) {
> >>  			pr_err("MAD registration failed for %s-%d.\n",
> >>  			       dev_name(&sdev->device->dev), i);
> >> -			i--;
> >>  			goto err_port;
> >>  		}
> >>  	}
> >> @@ -3241,6 +3240,8 @@ static int srpt_add_one(struct ib_device *device)
> >>  	return 0;
> >>  
> >>  err_port:
> >> +	for (j = i, i--; j > 0; j--)a
> >> +		cancel_work_sync(&sdev->port[j - 1].work);
> > 
> > There is no need in extra variable, the following code will do the same:
> > 
> > 	while (i--)
> > 		cancel_work_sync(&sdev->port[i].work);
> > 
> >>  	srpt_unregister_mad_agent(sdev, i);
> 
> i is also used here.

So put cancel_work_sync() there.

Thanks

> 
> Junxian
> 
> >>  err_cm:
> >>  	if (sdev->cm_id)
> >> -- 
> >> 2.33.0
> >>
> > 
>

next prev parent reply	other threads:[~2024-08-01 11:30 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-01  7:44 [PATCH for-rc] RDMA/srpt: Fix UAF when srpt_add_one() failed Junxian Huang
2024-08-01 10:37 ` Leon Romanovsky
2024-08-01 11:02   ` Junxian Huang
2024-08-01 11:30     ` Leon Romanovsky [this message]
2024-08-01 11:34       ` Junxian Huang
2024-08-01 21:55 ` Zhu Yanjun
2024-08-02  2:28   ` Junxian Huang
2024-08-02  9:18     ` Zhu Yanjun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240801113055.GH4209@unreal \
    --to=leon@kernel.org \
    --cc=bvanassche@acm.org \
    --cc=huangjunxian6@hisilicon.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linuxarm@huawei.com \
    --cc=nab@risingtidesystems.com \
    --cc=target-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.