Received: by 2002:ab2:7041:0:b0:1f4:bcc8:f211 with SMTP id x1csp24107lql;
        Fri, 12 Apr 2024 02:22:58 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWK70V+L44yXfGx38fJgwWCyFh9mSnr/oHRFEt+piuLRS1cBckXh3SP8izm0+b9zbu41yX93PHcjbC01wF2Tpp+EEZJcPncahJ/qJys6w==
X-Google-Smtp-Source: AGHT+IGqIKW8+DQ+aODKLWlyx6mfr89w/dCo+eb/mb9JrkIcFlXfuVjewyShLoiKAqeQ6I/N6Wxq
X-Received: by 2002:ac8:5ac1:0:b0:434:68ad:bc6d with SMTP id d1-20020ac85ac1000000b0043468adbc6dmr2488788qtd.52.1712913778590;
        Fri, 12 Apr 2024 02:22:58 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712913778; cv=pass;
        d=google.com; s=arc-20160816;
        b=jeLELvOBj2I/XKfLV6GsLEhAblbj9DG+bUDbXH0uFqsuPH1okc9XJXS8S5Inux3RT5
         8nXnujW5bXfpG8urtaz6kfxIYjZ613g6aPCB3VewL4ZmwQphDKw9Kr1xQ+o7Q/vaOYKH
         +o4EgUAxKqlWIF26VFFiXuW/4wkqzOCGPGNVksCbtvDaO7WIbfd54oIQBHT5N140J/He
         7Urrb3HjjHz7BEEgP0RfLhREvSgrQMqXx2x3RjjYM8vL8hQNSaMVFA5T+Bvmt5dhw1Ip
         ozs5RTAQdxHg/F5594DvrZwLX6/UTOPV5l8uKhTlQPHlG2W7K833UISp9oRGN3Dz89WW
         o1/g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=KTJIB3rXDplMA4k9hz3skodfmj7cbYDQfM8YbsIdTXE=;
        fh=KWvyQxL3Ff+3WPSMjlYu+P4255AmcMULAsFol6M1vNI=;
        b=ghllcXJvEcxuAs1LBSfiFR/CV2MgWoEd++tlecwn53mqS87n7RP3aU8ObR+yzFEOmg
         woYLzW9WiJvr4yrLM2tZ2wTzKth/dUTq3gyHfPNyOo9JfK1DnlgZosvKILvUQvpFCJvw
         QvmraNnN1Jguqrtxdl5qJ0PLVeOhoijC7E9MEZcMHirpRlrH6q9ZxI6kM4gfaUAYlzSE
         vp6Fgmnm1ALv9NmXri6YFhpGd1QVP0/5Gvxh5xzSis+OlP6B8Uq1iIEzXLji9oxdYJ0S
         VlC+V7S0ygxxMoNepaTDhvjVzsNVpT67vXX/RKO3NkMoM0fH1ZaCs63A9oarTgM5jklS
         1e9A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=hisilicon.com dmarc=pass fromdomain=hisilicon.com);
       spf=pass (google.com: domain of linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=hisilicon.com
Return-Path: <linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id ay37-20020a05622a22a500b00436928ebdefsi759398qtb.42.2024.04.12.02.22.58
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Apr 2024 02:22:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=hisilicon.com dmarc=pass fromdomain=hisilicon.com);
       spf=pass (google.com: domain of linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142393-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=hisilicon.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id EDC7C1C214B8
	for <linux.lists.archive@gmail.com>; Fri, 12 Apr 2024 09:22:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0C2FD56B9F;
	Fri, 12 Apr 2024 09:20:56 +0000 (UTC)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8E65502AA;
	Fri, 12 Apr 2024 09:20:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.190
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712913654; cv=none; b=LvJMYA7H1ENuzIYjzvvyYzHqf7aSWdUiwYBilHAACuM6uUiTtFvfSb+wxzVSwbK03MC2HiZviMvHKdX/aC8y/SZjdEj0mB/XitL6ekuD0/MiSWGu2H2Vpv8nDkzm9bnGhIXruNMutD1nAybdBHxuMj0x0sbLlouClv3oOLB7uwQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712913654; c=relaxed/simple;
	bh=v3FczZT5MCatWnDOanGqyKC0iGfg95SCAmsBvumAY4k=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=BDf8E2wnVNRy4yxnWgRvnstHsKAUEPSQCazTXiHvl6LSbgTdZOg7ev8SM8Z517DOrQuNhVRXq/rGU/xmodGWt/3STDI1tRIyeOlEdEaXuxZip77k3xvd+4xqmPhM5fi/80U99ATRczlQZ1g6c033mJyEm13dyBZnHiusLo+qs2I=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=hisilicon.com; spf=pass smtp.mailfrom=hisilicon.com; arc=none smtp.client-ip=45.249.212.190
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=hisilicon.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hisilicon.com
Received: from mail.maildlp.com (unknown [172.19.162.112])
	by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4VG9vl1VB7z2CcDq;
	Fri, 12 Apr 2024 17:17:55 +0800 (CST)
Received: from kwepemi500006.china.huawei.com (unknown [7.221.188.68])
	by mail.maildlp.com (Postfix) with ESMTPS id CA2A0140156;
	Fri, 12 Apr 2024 17:20:48 +0800 (CST)
Received: from localhost.localdomain (10.67.165.2) by
 kwepemi500006.china.huawei.com (7.221.188.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.35; Fri, 12 Apr 2024 17:20:48 +0800
From: Junxian Huang <huangjunxian6@hisilicon.com>
To: <jgg@ziepe.ca>, <leon@kernel.org>
CC: <linux-rdma@vger.kernel.org>, <linuxarm@huawei.com>,
	<linux-kernel@vger.kernel.org>, <huangjunxian6@hisilicon.com>
Subject: [PATCH for-next 05/10] RDMA/hns: Fix UAF for cq async event
Date: Fri, 12 Apr 2024 17:16:11 +0800
Message-ID: <20240412091616.370789-6-huangjunxian6@hisilicon.com>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20240412091616.370789-1-huangjunxian6@hisilicon.com>
References: <20240412091616.370789-1-huangjunxian6@hisilicon.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 kwepemi500006.china.huawei.com (7.221.188.68)

From: Chengchang Tang <tangchengchang@huawei.com>

The refcount of CQ is not protected by locks. When CQ asynchronous
events and CQ destruction are concurrent, CQ may have been released,
which will cause UAF.

Use the xa_lock() to protect the CQ refcount.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
---
 drivers/infiniband/hw/hns/hns_roce_cq.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c
index 7250d0643b5c..68e22f368d43 100644
--- a/drivers/infiniband/hw/hns/hns_roce_cq.c
+++ b/drivers/infiniband/hw/hns/hns_roce_cq.c
@@ -149,7 +149,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq)
 		return ret;
 	}
 
-	ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL));
+	ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL));
 	if (ret) {
 		ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret);
 		goto err_put;
@@ -163,7 +163,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq)
 	return 0;
 
 err_xa:
-	xa_erase(&cq_table->array, hr_cq->cqn);
+	xa_erase_irq(&cq_table->array, hr_cq->cqn);
 err_put:
 	hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn);
 
@@ -182,7 +182,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq)
 		dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret,
 			hr_cq->cqn);
 
-	xa_erase(&cq_table->array, hr_cq->cqn);
+	xa_erase_irq(&cq_table->array, hr_cq->cqn);
 
 	/* Waiting interrupt process procedure carried out */
 	synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq);
@@ -476,13 +476,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type)
 	struct ib_event event;
 	struct ib_cq *ibcq;
 
-	hr_cq = xa_load(&hr_dev->cq_table.array,
-			cqn & (hr_dev->caps.num_cqs - 1));
-	if (!hr_cq) {
-		dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn);
-		return;
-	}
-
 	if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID &&
 	    event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR &&
 	    event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) {
@@ -491,7 +484,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type)
 		return;
 	}
 
-	refcount_inc(&hr_cq->refcount);
+	xa_lock(&hr_dev->cq_table.array);
+	hr_cq = xa_load(&hr_dev->cq_table.array,
+			cqn & (hr_dev->caps.num_cqs - 1));
+	if (hr_cq)
+		refcount_inc(&hr_cq->refcount);
+	xa_unlock(&hr_dev->cq_table.array);
+	if (!hr_cq) {
+		dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn);
+		return;
+	}
 
 	ibcq = &hr_cq->ib_cq;
 	if (ibcq->event_handler) {
-- 
2.30.0