linux

mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00

History

Michael Guralnik 1f3b337af2 RDMA/core: Fix rereg_mr use-after-free race When a driver creates a new MR during rereg_user_mr, a race window exists between rdma_alloc_commit_uobject() for the new MR and the point where the code reads that MR to populate the response keys. A concurrent rereg_mr or destroy_mr could destroy the MR in this window and cause UAF in the first thread. Racing flow between two rereg_mr calls: CPU0 CPU1 ---- ---- rereg_user_mr(mr_handle) uobj_get_write(mr_handle) -> mr0 mr1 = driver→rereg() rdma_alloc_commit_uobject(mr1) // mr1 replaced mr0 and is unlocked uobj_put_destroy(mr0) rereg_user_mr(mr_handle) uobj_get_write(mr_handle) -> mr1 mr2 = driver→rereg() rdma_alloc_commit_uobject(mr2) // mr2 replaced mr1 and is unlocked uobj_put_destroy(mr1) // Destroys mr1! resp.lkey = mr1->lkey; // UAF - mr1 was freed! resp.rkey = mr1->rkey; // UAF - mr1 was freed! Fix by storing lkey/rkey in local variables before the new MR is unlocked and using the local variables to set the user response. Fixes: `6e0954b11c` ("RDMA/uverbs: Allow drivers to create a new HW object during rereg_mr") Link: https://patch.msgid.link/r/20260427-security-bug-fixes-v3-4-4621fa52de0e@nvidia.com Signed-off-by: Michael Guralnik <michaelgur@nvidia.com> Reviewed-by: Maher Sanalla <msanalla@nvidia.com> Signed-off-by: Edward Srouji <edwards@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>		2026-04-29 16:37:12 -03:00
..
addr.c	IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg()	2026-04-29 16:37:12 -03:00
agent.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
agent.h
cache.c	RDMA/core: Fix memory free for GID table	2026-04-07 11:42:34 -03:00
cgroup.c
cm_msgs.h	RDMA/core: Add necessary spaces	2021-04-12 14:52:22 -03:00
cm_trace.c
cm_trace.h	IB/cm: Remove dead code and adjust naming	2025-05-25 06:24:21 -04:00
cm.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
cma_configfs.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
cma_priv.h	RDMA/core: introduce rdma_restrict_node_type()	2026-02-08 17:12:58 -06:00
cma_trace.c
cma_trace.h	IB/cm: Remove dead code and adjust naming	2025-05-25 06:24:21 -04:00
cma.c	RDMA/core: Check id_priv->restricted_node_type in cma_listen_on_dev()	2026-02-25 07:50:10 -05:00
core_priv.h	RDMA/core: Fix stale RoCE GIDs during netdev events at registration	2026-02-24 03:43:16 -05:00
counters.c	RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters	2025-07-02 05:11:44 -04:00
cq.c	RDMA/core: Reject zero CQE count	2026-02-25 08:15:30 -05:00
device.c	RDMA v7.1 merge window	2026-04-20 11:20:35 -07:00
frmr_pools.c	RDMA/core: Add netlink command to modify FRMR aging	2026-03-02 13:45:37 -05:00
frmr_pools.h	RDMA/core: Add netlink command to modify FRMR aging	2026-03-02 13:45:37 -05:00
ib_core_uverbs.c	RDMA v7.1 merge window	2026-04-20 11:20:35 -07:00
iter.c	RDMA: Move DMA block iterator logic into dedicated files	2026-02-25 08:15:30 -05:00
iwcm.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
iwcm.h	RDMA/iwcm: Fix workqueue list corruption by removing work_list	2026-01-15 04:59:53 -05:00
iwpm_msg.c	RDMA/core: Prefer NLA_NUL_STRING	2026-04-09 10:58:56 -03:00
iwpm_util.c	Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses	2026-02-22 08:26:33 -08:00
iwpm_util.h	RDMA/core: Delete useless module.h include	2022-01-28 13:03:12 -04:00
lag.c	RDMA/core: Remove NULL check before dev_{put, hold}	2024-05-05 15:12:35 +03:00
mad_priv.h	IB/mad: Add flow control for solicited MADs	2025-07-09 02:51:30 -04:00
mad_rmpp.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
mad_rmpp.h
mad.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
Makefile	IB/core: Introduce FRMR pools	2026-03-02 13:44:58 -05:00
mr_pool.c
multicast.c	Convert 'alloc_flex' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
netlink.c	RDMA/nldev: Add support for RDMA monitoring	2024-09-13 08:29:14 +03:00
nldev.c	RDMA/nldev: Add dellink function pointer	2026-03-30 13:47:43 -04:00
opa_smi.h	RDMA: Support more than 255 rdma ports	2021-03-26 09:31:21 -03:00
packer.c
rdma_core.c	RDMA/uverbs: Update outdated reference to remove_commit_idr_uobject()	2026-03-30 13:47:44 -04:00
rdma_core.h	RDMA: Add ib_copy_validate_udata_in()	2026-03-08 06:20:25 -04:00
restrack.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
restrack.h
roce_gid_mgmt.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
rw.c	RDMA/rw: Fix MR pool exhaustion in bvec RDMA READ path	2026-03-17 15:00:56 -04:00
sa_query.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
sa.h	RDMA: Support more than 255 rdma ports	2021-03-26 09:31:21 -03:00
security.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
smi.c	RDMA: Support more than 255 rdma ports	2021-03-26 09:31:21 -03:00
smi.h	RDMA: Support more than 255 rdma ports	2021-03-26 09:31:21 -03:00
sysfs.c	Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses	2026-02-22 08:26:33 -08:00
trace.c
ucaps.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
ucma.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
ud_header.c	RDMA/core: Remove unused ib_ud_header_unpack	2024-12-24 05:00:42 -05:00
umem_dmabuf.c	RDMA v7.1 merge window	2026-04-20 11:20:35 -07:00
umem_odp.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
umem.c	RDMA/umem: Use consistent DMA attributes when unmapping entries	2026-03-30 13:47:45 -04:00
user_mad.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
uverbs_cmd.c	RDMA/core: Fix rereg_mr use-after-free race	2026-04-29 16:37:12 -03:00
uverbs_ioctl.c	RDMA: Add ib_respond_udata()	2026-03-08 06:20:25 -04:00
uverbs_main.c	mm: rename zap_vma_ptes() to zap_special_vma_range()	2026-04-05 13:53:15 -07:00
uverbs_marshall.c	RDMA/core: Remove unused ib_copy_path_rec_from_user	2024-12-24 05:00:42 -05:00
uverbs_std_types_async_fd.c	RDMA/core: Make FD destroy callback void	2020-11-12 12:32:17 -04:00
uverbs_std_types_counters.c	IB/uverbs: Fix an potential error pointer dereference	2023-08-07 16:49:59 +03:00
uverbs_std_types_cq.c	RDMA/core: Fix user CQ creation for drivers without create_cq	2026-04-17 12:16:00 -03:00
uverbs_std_types_device.c	RDMA: Add IB_UVERBS_CORE_SUPPORT_ROBUST_UDATA	2026-03-08 06:20:25 -04:00
uverbs_std_types_dm.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_dmabuf.c	drm-misc-next for v7.1:	2026-03-02 16:58:07 +10:00
uverbs_std_types_dmah.c	RDMA/core: Introduce a DMAH object and its alloc/free APIs	2025-07-23 01:42:10 -04:00
uverbs_std_types_flow_action.c	RDMA/core: Delete IPsec flow action logic from the core	2022-04-09 08:25:06 +03:00
uverbs_std_types_mr.c	IB: Extend UVERBS_METHOD_REG_MR to get DMAH	2025-07-23 01:42:11 -04:00
uverbs_std_types_qp.c	RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create	2025-07-01 05:21:44 -04:00
uverbs_std_types_srq.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types_wq.c	RDMA/core: Postpone uobject cleanup on failure till FD close	2020-11-12 12:32:17 -04:00
uverbs_std_types.c	RDMA/core: Make FD destroy callback void	2020-11-12 12:32:17 -04:00
uverbs_uapi.c	Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses	2026-02-22 08:26:33 -08:00
uverbs.h	RDMA/uverbs: Add DMABUF object type and operations	2026-02-08 23:50:41 -05:00
verbs.c	RDMA/core: Remove unused ib_resize_cq() implementation	2026-03-30 13:47:43 -04:00