From patchwork Tue Jan 18 07:35:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 12716036 X-Patchwork-Delegate: jgg@ziepe.ca Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC44BC433F5 for ; Tue, 18 Jan 2022 07:35:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245242AbiARHfT (ORCPT ); Tue, 18 Jan 2022 02:35:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244562AbiARHfR (ORCPT ); Tue, 18 Jan 2022 02:35:17 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F1E9C061574; Mon, 17 Jan 2022 23:35:17 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id AF80CCE180A; Tue, 18 Jan 2022 07:35:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2CC0BC00446; Tue, 18 Jan 2022 07:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642491314; bh=QkC4jBGXfBwcQPRW5tf8X1NQ4ngdZpaUsK0z/L5pb18=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I7NjkWi/rNX9FeUQlQT1LZmoS5Ij8opuNrgdzBGx9IVe7u/B2iYoNcAicYSJaHCW2 FjcRs4GTm2b5h3Gb4bCBcbpPZxJkt0NpAx11ISKHiVavQKACEsmVHhsPHnesTWxtOM cBc+Sl4tFgu5m/decYCvPvLU+pOMFZJjPDuYq66ugE50iViEy6HI/T483kICYjWjS4 /Ee1W5c+WBFkUw61T5T84BxEkroVyVwG2FwyLKRuWDqK+lE0RMS+cKAwHp1ddSscVo +Z9qJZIn+YMLNfl6WtnHs64YcsjxT3yGBF5lvLvIYk3J6SVhln3pj8bSQGLRdVdjM9 ENjB5uWAhcJPg== From: Leon Romanovsky To: Jason Gunthorpe Cc: Maor Gottlieb , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org Subject: [PATCH rdma-next 1/3] RDMA/cma: Use correct address when leaving multicast group Date: Tue, 18 Jan 2022 09:35:00 +0200 Message-Id: <913bc6783fd7a95fe71ad9454e01653ee6fb4a9a.1642491047.git.leonro@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org From: Maor Gottlieb In RoCE we should use cma_iboe_set_mgid and not cma_set_mgid to generate the mgid, otherwise we will try to remove incorrect address. Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join") Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky --- drivers/infiniband/core/cma.c | 61 +++++++++++++++++------------------ 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 27a00ce2e101..69c9a12dd14e 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -1830,6 +1830,31 @@ static void cma_release_port(struct rdma_id_private *id_priv) mutex_unlock(&lock); } +static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, + enum ib_gid_type gid_type) +{ + struct sockaddr_in *sin = (struct sockaddr_in *)addr; + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; + + if (!cma_any_addr(addr) && addr->sa_family == AF_INET6) { + memcpy(mgid, &sin6->sin6_addr, sizeof(*mgid)); + return; + } + + memset(mgid, 0, sizeof(*mgid)); + if (cma_any_addr(addr)) + return; + + /* AF_INET4 */ + if (gid_type != IB_GID_TYPE_ROCE_UDP_ENCAP) { + mgid->raw[0] = 0xff; + mgid->raw[1] = 0x0e; + } + mgid->raw[10] = 0xff; + mgid->raw[11] = 0xff; + *(__be32 *)(&mgid->raw[12]) = sin->sin_addr.s_addr; +} + static void destroy_mc(struct rdma_id_private *id_priv, struct cma_multicast *mc) { @@ -1847,10 +1872,13 @@ static void destroy_mc(struct rdma_id_private *id_priv, ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); if (ndev) { + enum ib_gid_type gid_type; union ib_gid mgid; - cma_set_mgid(id_priv, (struct sockaddr *)&mc->addr, - &mgid); + gid_type = cma_get_default_gid_type( + id_priv->cma_dev, id_priv->id.port_num); + cma_iboe_set_mgid((struct sockaddr *)&mc->addr, &mgid, + gid_type); if (!send_only) cma_igmp_send(ndev, &mgid, false); @@ -4702,35 +4730,6 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv, return PTR_ERR_OR_ZERO(mc->sa_mc); } -static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, - enum ib_gid_type gid_type) -{ - struct sockaddr_in *sin = (struct sockaddr_in *)addr; - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; - - if (cma_any_addr(addr)) { - memset(mgid, 0, sizeof *mgid); - } else if (addr->sa_family == AF_INET6) { - memcpy(mgid, &sin6->sin6_addr, sizeof *mgid); - } else { - mgid->raw[0] = - (gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP) ? 0 : 0xff; - mgid->raw[1] = - (gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP) ? 0 : 0x0e; - mgid->raw[2] = 0; - mgid->raw[3] = 0; - mgid->raw[4] = 0; - mgid->raw[5] = 0; - mgid->raw[6] = 0; - mgid->raw[7] = 0; - mgid->raw[8] = 0; - mgid->raw[9] = 0; - mgid->raw[10] = 0xff; - mgid->raw[11] = 0xff; - *(__be32 *)(&mgid->raw[12]) = sin->sin_addr.s_addr; - } -} - static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, struct cma_multicast *mc) { From patchwork Tue Jan 18 07:35:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 12716038 X-Patchwork-Delegate: jgg@ziepe.ca Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E699C433EF for ; Tue, 18 Jan 2022 07:35:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245312AbiARHf3 (ORCPT ); Tue, 18 Jan 2022 02:35:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245361AbiARHf0 (ORCPT ); Tue, 18 Jan 2022 02:35:26 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58DCBC06173E; Mon, 17 Jan 2022 23:35:26 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id C49E8CE180A; Tue, 18 Jan 2022 07:35:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25922C00446; Tue, 18 Jan 2022 07:35:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642491323; bh=efdlDNR9gQzR/4u6XD/07+ZdHx953OfVA+epBG2sCLs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aYz7PA0/TS62UBsSOSpe1FmNrmnS+lMrFEYp1CxnJ80MFUtmdWoUM4BwLDQDYvlRX jyeJA0e8dAoq1C0V9i4Qu9uiX60evIA/o3r6I8+aU9NjsbB0qqD0GmJ7N0Lf/l9kwY 0uLPaE47WVdAET0E6IRlag18VwHAELnYqUGK3IiqeN9bpbPzb6qN8/9lFDYopV5lUN +TPb4cqBNkV9ZSrt0/n2rYx/IGKYWkarGhRZ4HvFnrWCBQ9b47+uKlcewltQrM610f IK0utYFkr4iiMFsJuJip/7qUVPPS0oYkti7THEQkfbyJQIUzxBbIphHuVdqkhXeGUF SoPwtVrycNs+w== From: Leon Romanovsky To: Jason Gunthorpe Cc: Leon Romanovsky , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, Maor Gottlieb , syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com Subject: [PATCH rdma-next 2/3] RDMA/ucma: Protect mc during concurrent multicast leaves Date: Tue, 18 Jan 2022 09:35:01 +0200 Message-Id: <1cda5fabb1081e8d16e39a48d3a4f8160cea88b8.1642491047.git.leonro@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org From: Leon Romanovsky Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked. ================================================================== BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2fcd207e99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2fcbb7d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f2fcd31af60 RCX: 00007f2fcd207e99 RDX: 0000000000000018 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007f2fcd261ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff66a135bf R14: 00007f2fcbb7d300 R15: 0000000000022000 Fixes: 95fe51096b7a ("RDMA/ucma: Remove mc_list and rely on xarray") Reported-by: syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com Suggested-by: Jason Gunthorpe Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky --- drivers/infiniband/core/ucma.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index 2b72c4fa9550..9d6ac9dff39a 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -95,6 +95,7 @@ struct ucma_context { u64 uid; struct list_head list; + struct list_head mc_list; struct work_struct close_work; }; @@ -105,6 +106,7 @@ struct ucma_multicast { u64 uid; u8 join_state; + struct list_head list; struct sockaddr_storage addr; }; @@ -198,6 +200,7 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file) INIT_WORK(&ctx->close_work, ucma_close_id); init_completion(&ctx->comp); + INIT_LIST_HEAD(&ctx->mc_list); /* So list_del() will work if we don't do ucma_finish_ctx() */ INIT_LIST_HEAD(&ctx->list); ctx->file = file; @@ -484,19 +487,19 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, static void ucma_cleanup_multicast(struct ucma_context *ctx) { - struct ucma_multicast *mc; - unsigned long index; + struct ucma_multicast *mc, *tmp; - xa_for_each(&multicast_table, index, mc) { - if (mc->ctx != ctx) - continue; + xa_lock(&multicast_table); + list_for_each_entry_safe(mc, tmp, &ctx->mc_list, list) { + list_del(&mc->list); /* * At this point mc->ctx->ref is 0 so the mc cannot leave the * lock on the reader and this is enough serialization */ - xa_erase(&multicast_table, index); + __xa_erase(&multicast_table, mc->id); kfree(mc); } + xa_unlock(&multicast_table); } static void ucma_cleanup_mc_events(struct ucma_multicast *mc) @@ -1469,12 +1472,16 @@ static ssize_t ucma_process_join(struct ucma_file *file, mc->uid = cmd->uid; memcpy(&mc->addr, addr, cmd->addr_size); - if (xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b, + xa_lock(&multicast_table); + if (__xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b, GFP_KERNEL)) { ret = -ENOMEM; goto err_free_mc; } + list_add_tail(&mc->list, &ctx->mc_list); + xa_unlock(&multicast_table); + mutex_lock(&ctx->mutex); ret = rdma_join_multicast(ctx->cm_id, (struct sockaddr *)&mc->addr, join_state, mc); @@ -1500,8 +1507,11 @@ static ssize_t ucma_process_join(struct ucma_file *file, mutex_unlock(&ctx->mutex); ucma_cleanup_mc_events(mc); err_xa_erase: - xa_erase(&multicast_table, mc->id); + xa_lock(&multicast_table); + list_del(&mc->list); + __xa_erase(&multicast_table, mc->id); err_free_mc: + xa_unlock(&multicast_table); kfree(mc); err_put_ctx: ucma_put_ctx(ctx); @@ -1569,15 +1579,17 @@ static ssize_t ucma_leave_multicast(struct ucma_file *file, mc = ERR_PTR(-EINVAL); else if (!refcount_inc_not_zero(&mc->ctx->ref)) mc = ERR_PTR(-ENXIO); - else - __xa_erase(&multicast_table, mc->id); - xa_unlock(&multicast_table); if (IS_ERR(mc)) { + xa_unlock(&multicast_table); ret = PTR_ERR(mc); goto out; } + list_del(&mc->list); + __xa_erase(&multicast_table, mc->id); + xa_unlock(&multicast_table); + mutex_lock(&mc->ctx->mutex); rdma_leave_multicast(mc->ctx->cm_id, (struct sockaddr *) &mc->addr); mutex_unlock(&mc->ctx->mutex); From patchwork Tue Jan 18 07:35:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 12716037 X-Patchwork-Delegate: jgg@ziepe.ca Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F575C433EF for ; Tue, 18 Jan 2022 07:35:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245189AbiARHfV (ORCPT ); Tue, 18 Jan 2022 02:35:21 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:42036 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245276AbiARHfU (ORCPT ); Tue, 18 Jan 2022 02:35:20 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2B1D9613C5; Tue, 18 Jan 2022 07:35:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ABF06C340E1; Tue, 18 Jan 2022 07:35:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642491318; bh=8pHzTYuyAsn63ZzuNcB6jStefbvJPsDwbXo7zfeaKc8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FsTlmWV0eh5Crc3H/wOj7YTs/unaKz68pYVYdavUQPyFhb3QtBqRhZ9vx7QShZaWF 3nwiPCwDyNS254/9fHk7unsJbVeslVq2LlasyQmAbAQK6A/QaoE/PYjyPIX+U+NiA0 jKqti6bcrIGABxJeaS8H4onk1A3uk8rR9xmgk/reHTJlI13p2T5sPKVR5Atll4vtdh fSgVXchSU+5Dz2dEy9ae9wga+ukin/Yp67elB+77NSUvI5glKExo/PCPajnFATtLlB lVYsdHacqEvbhhe/0xCSSvstAncJXgyVsLxNey2H8jWUKEXFAGsd8O1Siz0Pu+dntF DQayCf/R4KyAg== From: Leon Romanovsky To: Jason Gunthorpe Cc: Maor Gottlieb , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org Subject: [PATCH rdma-next 3/3] RDMA/core: Set MR type in ib_reg_user_mr Date: Tue, 18 Jan 2022 09:35:02 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org From: Maor Gottlieb Add missing assignment of MR type to IB_MR_TYPE_USER. Fixes: 33006bd4f37f ("IB/core: Introduce ib_reg_user_mr") Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky --- drivers/infiniband/core/verbs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c index c18634bec212..e821dc94a43e 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2153,6 +2153,7 @@ struct ib_mr *ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, return mr; mr->device = pd->device; + mr->type = IB_MR_TYPE_USER; mr->pd = pd; mr->dm = NULL; atomic_inc(&pd->usecnt);