[LTP] [PATCH 0/2] Add infiniband testing suite

[LTP] [PATCH 0/2] Add infiniband testing suite

[Andrea Cervesato]

This patch series introduces a test for infiniband testing, based on
https://marc.info/?l=linux-kernel&m=152625244101970&w=2.

Consider this as a snapshot for a possible test. I sent it to the ML
just to have some feedbacks.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Andrea Cervesato (2):
      lapi: Add fallback rdma_user_cm.h definitions
      device-drivers/rdma: Add ucma_uaf01 test

 configure.ac                                      |   1 +
 include/lapi/rdma_user_cm.h                       |  72 ++++++++
 runtest/kernel_misc                               |   1 +
 testcases/kernel/device-drivers/Makefile          |   1 +
 testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
 testcases/kernel/device-drivers/rdma/Makefile     |   7 +
 testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
 7 files changed, 291 insertions(+)
---
base-commit: b874b6a264cf4f343c17d543ebe4ff91fbb89042
change-id: 20260325-infiniband_rdma-c94a1f4f7255

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 1/2] lapi: Add fallback rdma_user_cm.h definitions

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Add LAPI header with fallback definitions for RDMA user CM structures
and command enums, used when <rdma/rdma_user_cm.h> is not available.

Add the corresponding configure check for rdma/rdma_user_cm.h.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 configure.ac                |  1 +
 include/lapi/rdma_user_cm.h | 72 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)

diff --git a/configure.ac b/configure.ac
index 9d6ec7f13ad421aa35840ebc65745c962b11e1db..8f67018dc692685d88acfb51232446659c1eeb3d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -85,6 +85,7 @@ AC_CHECK_HEADERS_ONCE([ \
     linux/userfaultfd.h \
     netinet/sctp.h \
     pthread.h \
+    rdma/rdma_user_cm.h \
     sys/epoll.h \
     sys/fanotify.h \
     sys/inotify.h \
diff --git a/include/lapi/rdma_user_cm.h b/include/lapi/rdma_user_cm.h
new file mode 100644
index 0000000000000000000000000000000000000000..801dd83ec0df215901a86855bc51ad2b416d9855
--- /dev/null
+++ b/include/lapi/rdma_user_cm.h
@@ -0,0 +1,72 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2026 Linux Test Project
+ */
+
+#ifndef LAPI_RDMA_USER_CM_H__
+#define LAPI_RDMA_USER_CM_H__
+
+#include "config.h"
+
+#ifdef HAVE_RDMA_RDMA_USER_CM_H
+# include <rdma/rdma_user_cm.h>
+#endif
+
+#include <netinet/in.h>
+#include <stdint.h>
+
+#ifndef RDMA_USER_CM_ABI_VERSION
+
+enum {
+	RDMA_USER_CM_CMD_CREATE_ID,
+	RDMA_USER_CM_CMD_DESTROY_ID,
+	RDMA_USER_CM_CMD_BIND_IP,
+	RDMA_USER_CM_CMD_RESOLVE_IP,
+	RDMA_USER_CM_CMD_RESOLVE_ROUTE,
+	RDMA_USER_CM_CMD_QUERY_ROUTE,
+	RDMA_USER_CM_CMD_CONNECT,
+	RDMA_USER_CM_CMD_LISTEN,
+};
+
+enum rdma_ucm_port_space {
+	RDMA_PS_IPOIB = 0x0002,
+};
+
+struct rdma_ucm_cmd_hdr {
+	uint32_t cmd;
+	uint16_t in;
+	uint16_t out;
+};
+
+struct rdma_ucm_create_id {
+	uint64_t uid;
+	uint64_t response;
+	uint16_t ps;
+	uint8_t  qp_type;
+	uint8_t  reserved[5];
+};
+
+struct rdma_ucm_create_id_resp {
+	uint32_t id;
+};
+
+struct rdma_ucm_destroy_id {
+	uint64_t response;
+	uint32_t id;
+	uint32_t reserved;
+};
+
+struct rdma_ucm_bind_ip {
+	uint64_t response;
+	struct sockaddr_in6 addr;
+	uint32_t id;
+};
+
+struct rdma_ucm_listen {
+	uint32_t id;
+	uint32_t backlog;
+};
+
+#endif /* RDMA_USER_CM_ABI_VERSION */
+
+#endif /* LAPI_RDMA_USER_CM_H__ */

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
BIND_IP, and LISTEN operations. Three threads concurrently issue
these commands to /dev/infiniband/rdma_cm and the test checks for
kernel taint (KASAN use-after-free detection).

The bug was fixed by kernel commit 5fe23f262e05
("ucma: fix a use-after-free in ucma_resolve_ip()").

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/kernel_misc                               |   1 +
 testcases/kernel/device-drivers/Makefile          |   1 +
 testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
 testcases/kernel/device-drivers/rdma/Makefile     |   7 +
 testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
 5 files changed, 218 insertions(+)

diff --git a/runtest/kernel_misc b/runtest/kernel_misc
index 78f00d305fea10367fb4fd2845f25dd151a833ea..dcc3c0a44fb52a968f91a52758dbd43a3ce7a9ec 100644
--- a/runtest/kernel_misc
+++ b/runtest/kernel_misc
@@ -3,6 +3,7 @@ kmsg01 kmsg01
 fw_load fw_load
 rtc01 rtc01
 rtc02 rtc02
+ucma_uaf01 ucma_uaf01
 block_dev block_dev
 tpci tpci
 tbio tbio
diff --git a/testcases/kernel/device-drivers/Makefile b/testcases/kernel/device-drivers/Makefile
index 229a50683f5f629904ff591daa6fcd4f1c35fdf1..538df555395bf21062906ffa4125da4c767c1e24 100644
--- a/testcases/kernel/device-drivers/Makefile
+++ b/testcases/kernel/device-drivers/Makefile
@@ -11,6 +11,7 @@ SUBDIRS		:= acpi \
 		   locking \
 		   pci \
 		   rcu \
+		   rdma \
 		   rtc \
 		   tbio \
 		   uaccess \
diff --git a/testcases/kernel/device-drivers/rdma/.gitignore b/testcases/kernel/device-drivers/rdma/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..399ea290e4f9abd6b66800b21f4aea3eb33d3799
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/.gitignore
@@ -0,0 +1 @@
+/ucma_uaf01
diff --git a/testcases/kernel/device-drivers/rdma/Makefile b/testcases/kernel/device-drivers/rdma/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..5df01972aeab257b6ef24a928204b6b722c1cdef
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2026 Linux Test Project
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/device-drivers/rdma/ucma_uaf01.c b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
new file mode 100644
index 0000000000000000000000000000000000000000..313e2aee0ea0114ce37f006eca93ea66d86ddeea
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
@@ -0,0 +1,208 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2026 Linux Test Project
+ */
+
+/*\
+ * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
+ * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
+ *
+ * Requires root to open /dev/infiniband/rdma_cm.
+ *
+ * Three threads race to create, bind, and listen on RDMA connection manager
+ * IDs. On vulnerable kernels, this triggers a use-after-free in
+ * cma_listen_on_all() detected by KASAN.
+ *
+ * Based on a syzbot reproducer:
+ * syzbot+db1c219466daac1083df@syzkaller.appspotmail.com
+ *
+ * Fixed in:
+ *
+ *  commit 5fe23f262e05
+ *  ucma: fix a use-after-free in ucma_resolve_ip()
+ */
+
+#include "tst_test.h"
+#include "tst_safe_pthread.h"
+#include "lapi/rdma_user_cm.h"
+
+#define RDMA_CM_DEV "/dev/infiniband/rdma_cm"
+
+static int cmfd = -1;
+static volatile uint32_t shared_id;
+static volatile int stop_threads;
+
+static void destroy_id(uint32_t id)
+{
+	ssize_t ret;
+
+	struct {
+		struct rdma_ucm_cmd_hdr hdr;
+		struct rdma_ucm_destroy_id destroy;
+	} msg = {
+		.hdr = {
+			.cmd = RDMA_USER_CM_CMD_DESTROY_ID,
+			.out = sizeof(struct rdma_ucm_create_id_resp),
+		},
+		.destroy = {
+			.id = id,
+		},
+	};
+	struct rdma_ucm_create_id_resp resp;
+
+	msg.destroy.response = (uintptr_t)&resp;
+
+	/* Errors expected due to racing with stale IDs */
+	ret = write(cmfd, &msg, sizeof(msg));
+	(void)ret;
+}
+
+static void *thread_create(void *arg)
+{
+	uint32_t id, prev_id = 0;
+	int has_prev = 0;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_create_id create;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_CREATE_ID,
+				.out = sizeof(id),
+			},
+			.create = {
+				.response = (uintptr_t)&id,
+				.ps = RDMA_PS_IPOIB,
+			},
+		};
+
+		if (write(cmfd, &msg, sizeof(msg)) > 0) {
+			if (has_prev)
+				destroy_id(prev_id);
+			prev_id = id;
+			has_prev = 1;
+			shared_id = id;
+		}
+	}
+
+	if (has_prev)
+		destroy_id(prev_id);
+
+	return arg;
+}
+
+static void *thread_bind(void *arg)
+{
+	ssize_t ret;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_bind_ip bind;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_BIND_IP,
+			},
+			.bind = {
+				.addr = {
+					.sin6_family = AF_INET6,
+					.sin6_addr = {
+						.s6_addr = { 0xff },
+					},
+				},
+				.id = shared_id,
+			},
+		};
+
+		/* Errors expected due to racing with stale IDs */
+		ret = write(cmfd, &msg, sizeof(msg));
+		(void)ret;
+	}
+
+	return arg;
+}
+
+static void *thread_listen(void *arg)
+{
+	ssize_t ret;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_listen listen;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_LISTEN,
+			},
+			.listen = {
+				.id = shared_id,
+			},
+		};
+
+		/* Errors expected due to racing with stale IDs */
+		ret = write(cmfd, &msg, sizeof(msg));
+		(void)ret;
+	}
+
+	return arg;
+}
+
+static void setup(void)
+{
+	cmfd = open(RDMA_CM_DEV, O_WRONLY);
+	if (cmfd < 0) {
+		if (errno == ENOENT || errno == ENXIO)
+			tst_brk(TCONF, RDMA_CM_DEV " not available");
+		tst_brk(TBROK | TERRNO, "open(" RDMA_CM_DEV ")");
+	}
+}
+
+static void cleanup(void)
+{
+	if (cmfd != -1)
+		SAFE_CLOSE(cmfd);
+}
+
+static void run(void)
+{
+	pthread_t threads[3];
+
+	stop_threads = 0;
+
+	SAFE_PTHREAD_CREATE(&threads[0], NULL, thread_create, NULL);
+	SAFE_PTHREAD_CREATE(&threads[1], NULL, thread_bind, NULL);
+	SAFE_PTHREAD_CREATE(&threads[2], NULL, thread_listen, NULL);
+
+	while (tst_remaining_runtime())
+		sleep(1);
+
+	stop_threads = 1;
+
+	SAFE_PTHREAD_JOIN(threads[0], NULL);
+	SAFE_PTHREAD_JOIN(threads[1], NULL);
+	SAFE_PTHREAD_JOIN(threads[2], NULL);
+
+	if (tst_taint_check())
+		tst_res(TFAIL, "Kernel is vulnerable (use-after-free in UCMA)");
+	else
+		tst_res(TPASS, "No kernel taint detected");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.runtime = 300,
+	.needs_root = 1,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_INFINIBAND",
+		"CONFIG_INFINIBAND_USER_ACCESS",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "5fe23f262e05"},
+		{}
+	},
+};

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 0/2] Add infiniband testing suite

[Petr Vorel]

> This patch series introduces a test for infiniband testing, based on
> https://marc.info/?l=linux-kernel&m=152625244101970&w=2.
https://lore.kernel.org/lkml/20180513230237.GG677@sol.localdomain/

Thanks for pointing out the C source.  I was looking at the original syzkaller
reproducer [1] which IMHO did more things, simplified C source is quite similar
to what you do in LTP test.

Have you verified if it actually reproduce the bug on affected kernel? Does it
reproduce the bug?

I tried it only on too new kernel (6.12 based SLE16 kernel, required to install
rdma-core, rdma_cm kernel module, which creates /dev/infiniband/rdma_cm, was
loaded by default).

Kind regards,
Petr

[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=1686969e400000

> Consider this as a snapshot for a possible test. I sent it to the ML
> just to have some feedbacks.

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Andrea Cervesato (2):
>       lapi: Add fallback rdma_user_cm.h definitions
>       device-drivers/rdma: Add ucma_uaf01 test

>  configure.ac                                      |   1 +
>  include/lapi/rdma_user_cm.h                       |  72 ++++++++
>  runtest/kernel_misc                               |   1 +
>  testcases/kernel/device-drivers/Makefile          |   1 +
>  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
>  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
>  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
>  7 files changed, 291 insertions(+)
> ---
> base-commit: b874b6a264cf4f343c17d543ebe4ff91fbb89042
> change-id: 20260325-infiniband_rdma-c94a1f4f7255

> Best regards,

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Petr Vorel]

Hi Andrea,

it's been long time since this use-after-free was fixed, but IMHO still useful
to have a test (it's also kind of smoke test for rdma_cm).
Anyway, LGTM, but it'd be nice to reproduce the bug.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

> Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
> BIND_IP, and LISTEN operations. Three threads concurrently issue
> these commands to /dev/infiniband/rdma_cm and the test checks for
> kernel taint (KASAN use-after-free detection).

> The bug was fixed by kernel commit 5fe23f262e05
> ("ucma: fix a use-after-free in ucma_resolve_ip()").

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/kernel_misc                               |   1 +
>  testcases/kernel/device-drivers/Makefile          |   1 +
>  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
>  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
>  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
>  5 files changed, 218 insertions(+)

> diff --git a/runtest/kernel_misc b/runtest/kernel_misc
> index 78f00d305fea10367fb4fd2845f25dd151a833ea..dcc3c0a44fb52a968f91a52758dbd43a3ce7a9ec 100644
> --- a/runtest/kernel_misc
> +++ b/runtest/kernel_misc
> @@ -3,6 +3,7 @@ kmsg01 kmsg01
>  fw_load fw_load
>  rtc01 rtc01
>  rtc02 rtc02
> +ucma_uaf01 ucma_uaf01
>  block_dev block_dev
>  tpci tpci
>  tbio tbio
> diff --git a/testcases/kernel/device-drivers/Makefile b/testcases/kernel/device-drivers/Makefile
> index 229a50683f5f629904ff591daa6fcd4f1c35fdf1..538df555395bf21062906ffa4125da4c767c1e24 100644
> --- a/testcases/kernel/device-drivers/Makefile
> +++ b/testcases/kernel/device-drivers/Makefile
> @@ -11,6 +11,7 @@ SUBDIRS		:= acpi \
>  		   locking \
>  		   pci \
>  		   rcu \
> +		   rdma \
>  		   rtc \
>  		   tbio \
>  		   uaccess \
> diff --git a/testcases/kernel/device-drivers/rdma/.gitignore b/testcases/kernel/device-drivers/rdma/.gitignore
> new file mode 100644
> index 0000000000000000000000000000000000000000..399ea290e4f9abd6b66800b21f4aea3eb33d3799
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/.gitignore
> @@ -0,0 +1 @@
> +/ucma_uaf01
> diff --git a/testcases/kernel/device-drivers/rdma/Makefile b/testcases/kernel/device-drivers/rdma/Makefile
> new file mode 100644
> index 0000000000000000000000000000000000000000..5df01972aeab257b6ef24a928204b6b722c1cdef
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/Makefile
> @@ -0,0 +1,7 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2026 Linux Test Project
> +
> +top_srcdir		?= ../../../..
> +
> +include $(top_srcdir)/include/mk/testcases.mk
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/device-drivers/rdma/ucma_uaf01.c b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..313e2aee0ea0114ce37f006eca93ea66d86ddeea
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
> @@ -0,0 +1,208 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2026 Linux Test Project
> + */
> +
> +/*\
> + * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
> + * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
> + *
> + * Requires root to open /dev/infiniband/rdma_cm.
> + *
> + * Three threads race to create, bind, and listen on RDMA connection manager
> + * IDs. On vulnerable kernels, this triggers a use-after-free in
> + * cma_listen_on_all() detected by KASAN.
> + *
> + * Based on a syzbot reproducer:
> + * syzbot+db1c219466daac1083df@syzkaller.appspotmail.com

Maybe link simplified C source from Eric on which you base LTP test (according
to the cover letter)?
https://lore.kernel.org/lkml/20180513230237.GG677@sol.localdomain/

NOTE C reproducer [1] on db1c219466daac1083df page [2] is more complicated than
the one From Eric.

[1] https://syzkaller.appspot.com/text?tag=ReproC&x=1258d593800000
[2] https://syzkaller.appspot.com/bug?extid=db1c219466daac1083df

Kind regards,
Petr

> + *
> + * Fixed in:
> + *
> + *  commit 5fe23f262e05
> + *  ucma: fix a use-after-free in ucma_resolve_ip()
> + */
> +
> +#include "tst_test.h"
> +#include "tst_safe_pthread.h"
> +#include "lapi/rdma_user_cm.h"
> +
> +#define RDMA_CM_DEV "/dev/infiniband/rdma_cm"
> +
> +static int cmfd = -1;
> +static volatile uint32_t shared_id;
> +static volatile int stop_threads;
> +
> +static void destroy_id(uint32_t id)
> +{
> +	ssize_t ret;
> +
> +	struct {
> +		struct rdma_ucm_cmd_hdr hdr;
> +		struct rdma_ucm_destroy_id destroy;
> +	} msg = {
> +		.hdr = {
> +			.cmd = RDMA_USER_CM_CMD_DESTROY_ID,
> +			.out = sizeof(struct rdma_ucm_create_id_resp),
> +		},
> +		.destroy = {
> +			.id = id,
> +		},
> +	};
> +	struct rdma_ucm_create_id_resp resp;
> +
> +	msg.destroy.response = (uintptr_t)&resp;
> +
> +	/* Errors expected due to racing with stale IDs */
> +	ret = write(cmfd, &msg, sizeof(msg));
> +	(void)ret;
> +}
> +
> +static void *thread_create(void *arg)
> +{
> +	uint32_t id, prev_id = 0;
> +	int has_prev = 0;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_create_id create;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_CREATE_ID,
> +				.out = sizeof(id),
> +			},
> +			.create = {
> +				.response = (uintptr_t)&id,
> +				.ps = RDMA_PS_IPOIB,
> +			},
> +		};
> +
> +		if (write(cmfd, &msg, sizeof(msg)) > 0) {
> +			if (has_prev)
> +				destroy_id(prev_id);
> +			prev_id = id;
> +			has_prev = 1;
> +			shared_id = id;
> +		}
> +	}
> +
> +	if (has_prev)
> +		destroy_id(prev_id);
> +
> +	return arg;
> +}
> +
> +static void *thread_bind(void *arg)
> +{
> +	ssize_t ret;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_bind_ip bind;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_BIND_IP,
> +			},
> +			.bind = {
> +				.addr = {
> +					.sin6_family = AF_INET6,
> +					.sin6_addr = {
> +						.s6_addr = { 0xff },
> +					},
> +				},
> +				.id = shared_id,
> +			},
> +		};
> +
> +		/* Errors expected due to racing with stale IDs */
> +		ret = write(cmfd, &msg, sizeof(msg));
> +		(void)ret;
> +	}
> +
> +	return arg;
> +}
> +
> +static void *thread_listen(void *arg)
> +{
> +	ssize_t ret;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_listen listen;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_LISTEN,
> +			},
> +			.listen = {
> +				.id = shared_id,
> +			},
> +		};
> +
> +		/* Errors expected due to racing with stale IDs */
> +		ret = write(cmfd, &msg, sizeof(msg));
> +		(void)ret;
> +	}
> +
> +	return arg;
> +}
> +
> +static void setup(void)
> +{
> +	cmfd = open(RDMA_CM_DEV, O_WRONLY);
> +	if (cmfd < 0) {
> +		if (errno == ENOENT || errno == ENXIO)
> +			tst_brk(TCONF, RDMA_CM_DEV " not available");
> +		tst_brk(TBROK | TERRNO, "open(" RDMA_CM_DEV ")");
> +	}
> +}
> +
> +static void cleanup(void)
> +{
> +	if (cmfd != -1)
> +		SAFE_CLOSE(cmfd);
> +}
> +
> +static void run(void)
> +{
> +	pthread_t threads[3];
> +
> +	stop_threads = 0;
> +
> +	SAFE_PTHREAD_CREATE(&threads[0], NULL, thread_create, NULL);
> +	SAFE_PTHREAD_CREATE(&threads[1], NULL, thread_bind, NULL);
> +	SAFE_PTHREAD_CREATE(&threads[2], NULL, thread_listen, NULL);
> +
> +	while (tst_remaining_runtime())
> +		sleep(1);
> +
> +	stop_threads = 1;
> +
> +	SAFE_PTHREAD_JOIN(threads[0], NULL);
> +	SAFE_PTHREAD_JOIN(threads[1], NULL);
> +	SAFE_PTHREAD_JOIN(threads[2], NULL);
> +
> +	if (tst_taint_check())
> +		tst_res(TFAIL, "Kernel is vulnerable (use-after-free in UCMA)");
> +	else
> +		tst_res(TPASS, "No kernel taint detected");
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.runtime = 300,
> +	.needs_root = 1,
> +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_INFINIBAND",
> +		"CONFIG_INFINIBAND_USER_ACCESS",
> +		NULL
> +	},
> +	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "5fe23f262e05"},
> +		{}
> +	},
> +};

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Petr Vorel]

Hi Andrea,

...
> +/*\
> + * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
> + * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
> + *
> + * Requires root to open /dev/infiniband/rdma_cm.
...
> + * Fixed in:
> + *
> + *  commit 5fe23f262e05
> + *  ucma: fix a use-after-free in ucma_resolve_ip()
nit: I'd use standard git commit reference used in Fixes: tag:
5fe23f262e054 ("ucma: fix a use-after-free in ucma_resolve_ip()")

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp