Commit 6fb7ba54 authored by Chengchang Tang's avatar Chengchang Tang Committed by Junxian Huang
Browse files

RDMA/hns: Fix UAF for cq async event 

mainline inclusion
from mainline-v6.9-rc2
commit a942ec2745ca864cd8512142100e4027dc306a42
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBJ9LU
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a942ec2745ca864cd8512142100e4027dc306a42



---------------------------------------------------------------------

The refcount of CQ is not protected by locks. When CQ asynchronous
events and CQ destruction are concurrent, CQ may have been released,
which will cause UAF.

Use the xa_lock() to protect the CQ refcount.

Fixes: 9a443537 ("IB/hns: Add driver files for hns RoCE driver")
Signed-off-by: default avatarChengchang Tang <tangchengchang@huawei.com>
Signed-off-by: default avatarJunxian Huang <huangjunxian6@hisilicon.com>
Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@hisilicon.com


Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
Signed-off-by: default avatarXinghai Cen <cenxinghai@h-partners.com>
parent f2e3644e

drivers/infiniband/hw/hns/hns_roce_cq.c

+13 −11
Original line number Diff line number Diff line
@@ -204,7 +204,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) 
		return ret;

	}



	ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL));

	ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL));

	if (ret) {

		ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret);

		goto err_put;
@@ -218,7 +218,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) 
	return 0;



err_xa:

	xa_erase(&cq_table->array, hr_cq->cqn);

	xa_erase_irq(&cq_table->array, hr_cq->cqn);

err_put:

	hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn);
@@ -239,7 +239,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) 
				    ret, hr_cq->cqn);

	}



	xa_erase(&cq_table->array, hr_cq->cqn);

	xa_erase_irq(&cq_table->array, hr_cq->cqn);



	/* Waiting interrupt process procedure carried out */

	synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq);
@@ -551,13 +551,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) 
	struct ib_event event;

	struct ib_cq *ibcq;



	hr_cq = xa_load(&hr_dev->cq_table.array,

			cqn & (hr_dev->caps.num_cqs - 1));

	if (!hr_cq) {

		dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn);

		return;

	}



	if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID &&

	    event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR &&

	    event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) {
@@ -566,7 +559,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) 
		return;

	}



	xa_lock(&hr_dev->cq_table.array);

	hr_cq = xa_load(&hr_dev->cq_table.array,

			cqn & (hr_dev->caps.num_cqs - 1));

	if (hr_cq)

		refcount_inc(&hr_cq->refcount);

	xa_unlock(&hr_dev->cq_table.array);

	if (!hr_cq) {

		dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn);

		return;

	}



	ibcq = &hr_cq->ib_cq;

	if (ibcq->event_handler) {