[5,net] RDMA/core: fix UAF with ib_device_get_netdev()

Message ID	20240402132641.1412-1-dkirjanov@suse.de (mailing list archive)
State	Not Applicable
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0543F83CD4 for <netdev@vger.kernel.org>; Tue, 2 Apr 2024 13:27:01 +0000 (UTC) From: Denis Kirjanov <kirjanov@gmail.com> To: netdev@vger.kernel.org Cc: edumazet@google.com, jgg@ziepe.ca, leon@kernel.org, Denis Kirjanov <dkirjanov@suse.de>, syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com Subject: [PATCH 5 net] RDMA/core: fix UAF with ib_device_get_netdev() Date: Tue, 2 Apr 2024 09:26:41 -0400 Message-Id: <20240402132641.1412-1-dkirjanov@suse.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[5,net] RDMA/core: fix UAF with ib_device_get_netdev() \| expand [5,net] RDMA/core: fix UAF with ib_device_get_netdev()

Message ID

20240402132641.1412-1-dkirjanov@suse.de (mailing list archive)

State

Not Applicable

Delegated to:

Netdev Maintainers

Headers

From: Denis Kirjanov <kirjanov@gmail.com>
To: netdev@vger.kernel.org
Cc: edumazet@google.com,
	jgg@ziepe.ca,
	leon@kernel.org,
	Denis Kirjanov <dkirjanov@suse.de>,
	syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
Subject: [PATCH 5 net] RDMA/core: fix UAF with ib_device_get_netdev()
Date: Tue,  2 Apr 2024 09:26:41 -0400
Message-Id: <20240402132641.1412-1-dkirjanov@suse.de>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[5,net] RDMA/core: fix UAF with ib_device_get_netdev() | expand

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 943 this patch: 943
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	1 blamed authors not CCed: benve@cisco.com; 4 maintainers not CCed: lishifeng@sangfor.com.cn linux-rdma@vger.kernel.org wenglianfa@huawei.com benve@cisco.com
netdev/build_clang	success	Errors and warnings before: 954 this patch: 954
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 954 this patch: 954
netdev/checkpatch	warning	WARNING: From:/Signed-off-by: email address mismatch: 'From: Denis Kirjanov <kirjanov@gmail.com>' != 'Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>' WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: d41861942fc5 ("IB/core: Add generic function to extract IB speed from netdev")'
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-04-02--18-00 (tests: 947)

Context

Check

Description

netdev/series_format

success

Single patches do not need cover letters

netdev/tree_selection

success

Clearly marked for net

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 943 this patch: 943

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

fail

1 blamed authors not CCed: benve@cisco.com; 4 maintainers not CCed: lishifeng@sangfor.com.cn linux-rdma@vger.kernel.org wenglianfa@huawei.com benve@cisco.com

netdev/build_clang

success

Errors and warnings before: 954 this patch: 954

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 954 this patch: 954

netdev/checkpatch

warning

WARNING: From:/Signed-off-by: email address mismatch: 'From: Denis Kirjanov <kirjanov@gmail.com>' != 'Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>' WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: d41861942fc5 ("IB/core: Add generic function to extract IB speed from netdev")'

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2024-04-02--18-00 (tests: 947)

Commit Message

Denis Kirjanov April 2, 2024, 1:26 p.m. UTC

A call to ib_device_get_netdev may lead to a race condition
while accessing a netdevice instance since we don't hold
the rtnl lock while checking
the registration state:
	if (res && res->reg_state != NETREG_REGISTERED) {

v2: unlock rtnl on error path
v3: update remaining callers of ib_device_get_netdev
v4: don't call a cb with rtnl lock in ib_enum_roce_netdev
v5: put rtnl lock/unlock inside ib_device_get_netdev

Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
---
 drivers/infiniband/core/device.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Leon Romanovsky April 2, 2024, 6:22 p.m. UTC | #1

On Tue, Apr 02, 2024 at 09:26:41AM -0400, Denis Kirjanov wrote:
> A call to ib_device_get_netdev may lead to a race condition
> while accessing a netdevice instance since we don't hold
> the rtnl lock while checking
> the registration state:
> 	if (res && res->reg_state != NETREG_REGISTERED) {
> 
> v2: unlock rtnl on error path
> v3: update remaining callers of ib_device_get_netdev
> v4: don't call a cb with rtnl lock in ib_enum_roce_netdev
> v5: put rtnl lock/unlock inside ib_device_get_netdev
> 
> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/device.c | 3 +++
>  1 file changed, 3 insertions(+)

1. You are changing RDMA code and not net code, please add linux-rdma
   mailing list to the CC list.
2. Please put changelog after --- trailer.
3. Please add to the commit message stack trace.
4. "May lead to a race condition ..." makes me wonder how it is
possible, because RoCE/iWARP devices can't leave without netdev. So
please explain how it is possible in the commit message.

Thanks

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 07cb6c5ffda0..7b379d3203d5 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2240,14 +2240,17 @@  struct net_device *ib_device_get_netdev(struct ib_device *ib_dev,
 		spin_unlock(&pdata->netdev_lock);
 	}
 
+	rtnl_lock();
 	/*
 	 * If we are starting to unregister expedite things by preventing
 	 * propagation of an unregistering netdev.
 	 */
 	if (res && res->reg_state != NETREG_REGISTERED) {
+		rtnl_unlock();
 		dev_put(res);
 		return NULL;
 	}
+	rtnl_unlock();
 
 	return res;
 }

[5,net] RDMA/core: fix UAF with ib_device_get_netdev()

Checks

Commit Message

Comments

Patch