From: Jason Gunthorpe <jgg@nvidia.com>
To: Edward Srouji <edwards@nvidia.com>
Cc: Leon Romanovsky <leon@kernel.org>,
Chiara Meiohas <cmeiohas@nvidia.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Gal Pressman <galpress@amazon.com>,
Mark Bloch <markb@mellanox.com>,
Steve Wise <larrystevenwise@gmail.com>,
Mark Zhang <markzhang@nvidia.com>,
Neta Ostrovsky <netao@nvidia.com>,
Patrisious Haddad <phaddad@nvidia.com>,
Doug Ledford <dledford@redhat.com>,
Matan Barak <matanb@mellanox.com>,
majd@mellanox.com, Maor Gottlieb <maorg@mellanox.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
Michael Guralnik <michaelgur@nvidia.com>
Subject: Re: [PATCH rdma-next v3 2/5] RDMA/mlx5: Fix UAF in DCT destroy due to race with create
Date: Wed, 29 Apr 2026 16:46:01 -0300 [thread overview]
Message-ID: <20260429194601.GA478597@nvidia.com> (raw)
In-Reply-To: <20260427-security-bug-fixes-v3-2-4621fa52de0e@nvidia.com>
On Mon, Apr 27, 2026 at 02:02:33PM +0300, Edward Srouji wrote:
> A potential race condition exists between mlx5_core_destroy_dct() and
> mlx5_core_create_dct() that can lead to a use-after-free.
>
> After _mlx5_core_destroy_dct() releases the DCT to firmware, the DCTN
> can be immediately reallocated for a new DCT being created concurrently.
> If the create path stores the new DCT in the xarray before the destroy path
> erases it, the destroy will incorrectly delete the new DCT's entry.
> Later accesses then hit freed memory.
>
> Fix by replacing the unconditional xa_erase_irq() with xa_cmpxchg_irq()
> that only erases the entry if it hasn't already been replaced (still
> contains XA_ZERO_ENTRY), preserving any newly created DCT.
>
> Fixes: afff24899846 ("RDMA/mlx5: Handle DCT QP logic separately from low level QP interface")
> Signed-off-by: Edward Srouji <edwards@nvidia.com>
> Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
> ---
> drivers/infiniband/hw/mlx5/qpc.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
> index 146d03ae40bd9fd9650530fba77eb7e942d5fe79..a7a4f9420271a228e161aaac1ffa432d304ce431 100644
> --- a/drivers/infiniband/hw/mlx5/qpc.c
> +++ b/drivers/infiniband/hw/mlx5/qpc.c
> @@ -314,7 +314,14 @@ int mlx5_core_destroy_dct(struct mlx5_ib_dev *dev,
> xa_cmpxchg_irq(&table->dct_xa, dct->mqp.qpn, XA_ZERO_ENTRY, dct, 0);
> return err;
> }
> - xa_erase_irq(&table->dct_xa, dct->mqp.qpn);
> +
> + /*
> + * A race can occur where a concurrent create gets the same dctn
> + * (after hardware released it) and overwrites XA_ZERO_ENTRY with
> + * its new DCT before we reach here. In that case, we must not erase
> + * the entry as it now belongs to the new DCT.
> + */
> + xa_cmpxchg_irq(&table->dct_xa, dct->mqp.qpn, XA_ZERO_ENTRY, NULL, 0);
> return 0;
Sashiko is right about the
xa_init_flags(&table->dct_xa, XA_FLAGS_LOCK_IRQ);
Please make another patch for that.
The think about the xa_cmpxchg_irq().. I think that is not sane.. If
the FW has returned the ID back to another thread then the FW is no
longer allowed to fail this destruction, it is already destroyed.
In this case the xa will go wonky, but we are already pretty lost at that
point.
The logic here is probably not great though, if the xa is mangled then
we should still try to do the firmware call
Jason
next prev parent reply other threads:[~2026-04-29 19:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 11:02 [PATCH rdma-next v3 0/5] RDMA: Stability and race condition fixes Edward Srouji
2026-04-27 11:02 ` [PATCH rdma-next v3 1/5] RDMA/mlx5: Fix UAF in SRQ destroy due to race with create Edward Srouji
2026-04-27 11:02 ` [PATCH rdma-next v3 2/5] RDMA/mlx5: Fix UAF in DCT " Edward Srouji
2026-04-29 19:46 ` Jason Gunthorpe [this message]
2026-04-27 11:02 ` [PATCH rdma-next v3 3/5] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg() Edward Srouji
2026-04-27 11:02 ` [PATCH rdma-next v3 4/5] RDMA/core: Fix rereg_mr use-after-free race Edward Srouji
2026-04-27 11:02 ` [PATCH rdma-next v3 5/5] RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation Edward Srouji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429194601.GA478597@nvidia.com \
--to=jgg@nvidia.com \
--cc=cmeiohas@nvidia.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=dledford@redhat.com \
--cc=edwards@nvidia.com \
--cc=galpress@amazon.com \
--cc=larrystevenwise@gmail.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=majd@mellanox.com \
--cc=maorg@mellanox.com \
--cc=markb@mellanox.com \
--cc=markzhang@nvidia.com \
--cc=matanb@mellanox.com \
--cc=michaelgur@nvidia.com \
--cc=netao@nvidia.com \
--cc=phaddad@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox