From: Edward Srouji <edwards@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>, Jason Gunthorpe <jgg@ziepe.ca>,
"Chiara Meiohas" <cmeiohas@nvidia.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Gal Pressman <galpress@amazon.com>,
Mark Bloch <markb@mellanox.com>,
Steve Wise <larrystevenwise@gmail.com>,
Mark Zhang <markzhang@nvidia.com>,
"Neta Ostrovsky" <netao@nvidia.com>,
Patrisious Haddad <phaddad@nvidia.com>,
"Doug Ledford" <dledford@redhat.com>,
Matan Barak <matanb@mellanox.com>, <majd@mellanox.com>
Cc: <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
"Edward Srouji" <edwards@nvidia.com>,
Michael Guralnik <michaelgur@nvidia.com>
Subject: [PATCH rdma-next 03/10] RDMA/core: Fix use after free in ib_query_qp()
Date: Wed, 25 Mar 2026 21:00:03 +0200 [thread overview]
Message-ID: <20260325-security-bug-fixes-v1-3-c8332981ad26@nvidia.com> (raw)
In-Reply-To: <20260325-security-bug-fixes-v1-0-c8332981ad26@nvidia.com>
From: Patrisious Haddad <phaddad@nvidia.com>
When querying a QP via the netlink flow the only synchronization
mechanism for the said QP is rdma_restrack_get(), meanwhile during the
QP destroy path rdma_restrack_del() is called at the end of the
ib_destroy_qp_user() function which is too late, since by then the
vendor-specific resources for said QP would already be destroyed, and
until the rdma_restrack_del() is called this QP can still be accessed,
which could cause the use after free below.
Fix this by moving the rdma_restrack_del() to the start of the
ib_destroy_qp_user(), which in turn waits for all usages of the QP to be
done, then removes it from the database to prevent access to it while it
is being destroyed.
RIP: 0010:ib_query_qp+0x15/0x50 [ib_core]
Code: 48 83 05 5d 8e b9 ff 01 eb b5 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 c7 46 40 00 00 00 00 48 c7 46 78 00 00 00 00 <48> 8b 07 48 8b 80 88 01 00 00 48 85 c0 74 1a 48 83 05 54 91 b9 ff
RSP: 0018:ff11000108a8f2f0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ff11000108a8f370 RCX: ff11000108a8f370
RDX: 0000000000000000 RSI: ff11000108a8f3d8 RDI: 0000000000000000
RBP: ff1100010de5a000 R08: 0000000000000e80 R09: 0000000000000004
R10: ff110001057a604c R11: 0000000000000000 R12: ff11000108a8f370
R13: ff110001090e8000 R14: 0000000000000000 R15: ff110001057a602c
FS: 00007f2ffd8db6c0(0000) GS:ff110008dc90b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010b9a7004 CR4: 0000000000373eb0
Call Trace:
<TASK>
mlx5_ib_gsi_query_qp+0x21/0x50 [mlx5_ib]
mlx5_ib_query_qp+0x689/0x9d0 [mlx5_ib]
ib_query_qp+0x35/0x50 [ib_core]
fill_res_qp_entry_query.isra.0+0x47/0x280 [ib_core]
? __wake_up+0x40/0x50
? netlink_broadcast_filtered+0x15a/0x550
? kobject_uevent_env+0x562/0x710
? ep_poll_callback+0x242/0x270
? __nla_put+0xc/0x20
? nla_put+0x28/0x40
? nla_put_string+0x2e/0x40 [ib_core]
fill_res_qp_entry+0x138/0x190 [ib_core]
res_get_common_dumpit+0x4a5/0x800 [ib_core]
? fill_res_qp_entry_query.isra.0+0x280/0x280 [ib_core]
nldev_res_get_qp_dumpit+0x1e/0x30 [ib_core]
netlink_dump+0x16f/0x450
__netlink_dump_start+0x1ce/0x2e0
rdma_nl_rcv_msg+0x1d3/0x330 [ib_core]
? nldev_res_get_qp_raw_dumpit+0x30/0x30 [ib_core]
rdma_nl_rcv_skb.constprop.0.isra.0+0x108/0x180 [ib_core]
rdma_nl_rcv+0x12/0x20 [ib_core]
netlink_unicast+0x255/0x380
? __alloc_skb+0xfa/0x1e0
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1e8/0x230
? copy_msghdr_from_user+0xea/0x170
___sys_sendmsg+0x7c/0xb0
? __futex_wait+0x95/0xf0
? __futex_wake_mark+0x40/0x40
? futex_wait+0x67/0x100
? futex_wake+0xac/0x1b0
__sys_sendmsg+0x5f/0xb0
do_syscall_64+0x55/0xb90
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Fixes: 514aee660df4 ("RDMA: Globally allocate and release QP memory")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
---
drivers/infiniband/core/verbs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index bac87de9cc6735c5d25420a7fac8facdd77d5f09..f1438d5802a3e97e22cdb607cf90a097d041a162 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -2157,6 +2157,8 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_udata *udata)
if (qp->real_qp != qp)
return __ib_destroy_shared_qp(qp);
+ rdma_restrack_del(&qp->res);
+
sec = qp->qp_sec;
if (sec)
ib_destroy_qp_security_begin(sec);
@@ -2169,6 +2171,8 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_udata *udata)
if (ret) {
if (sec)
ib_destroy_qp_security_abort(sec);
+ rdma_restrack_new(&qp->res, RDMA_RESTRACK_QP);
+ rdma_restrack_add(&qp->res);
return ret;
}
@@ -2181,7 +2185,6 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_udata *udata)
if (sec)
ib_destroy_qp_security_end(sec);
- rdma_restrack_del(&qp->res);
kfree(qp);
return ret;
}
--
2.49.0
next prev parent reply other threads:[~2026-03-25 19:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 19:00 [PATCH rdma-next 00/10] RDMA: Stability and race condition fixes Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 01/10] RDMA/mlx5: Remove DCT restrack tracking Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 02/10] RDMA/core: Preserve restrack resource ID on reinsertion Edward Srouji
2026-03-25 19:00 ` Edward Srouji [this message]
2026-03-25 19:00 ` [PATCH rdma-next 04/10] RDMA/core: Fix potential use after free in ib_destroy_cq_user() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 05/10] RDMA/core: Fix potential use after free in ib_destroy_srq_user() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 06/10] RDMA/mlx5: Fix UAF in SRQ destroy due to race with create Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 07/10] RDMA/mlx5: Fix UAF in DCT " Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 08/10] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 09/10] RDMA/core: Fix rereg_mr use-after-free race Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 10/10] RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation Edward Srouji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260325-security-bug-fixes-v1-3-c8332981ad26@nvidia.com \
--to=edwards@nvidia.com \
--cc=cmeiohas@nvidia.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=dledford@redhat.com \
--cc=galpress@amazon.com \
--cc=jgg@ziepe.ca \
--cc=larrystevenwise@gmail.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=majd@mellanox.com \
--cc=markb@mellanox.com \
--cc=markzhang@nvidia.com \
--cc=matanb@mellanox.com \
--cc=michaelgur@nvidia.com \
--cc=netao@nvidia.com \
--cc=phaddad@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox