diff mbox series

[net] RDMA/core: fix UAF in ib_get_eth_speed

Message ID 20240328112218.16482-1-dkirjanov@suse.de (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] RDMA/core: fix UAF in ib_get_eth_speed | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 944 this patch: 944
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 1 blamed authors not CCed: benve@cisco.com; 3 maintainers not CCed: xuhaoyue1@hisilicon.com linux-rdma@vger.kernel.org benve@cisco.com
netdev/build_clang success Errors and warnings before: 955 this patch: 955
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 955 this patch: 955
netdev/checkpatch warning WARNING: From:/Signed-off-by: email address mismatch: 'From: Denis Kirjanov <kirjanov@gmail.com>' != 'Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>' WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: d41861942fc5 ("IB/core: Add generic function to extract IB speed from netdev")'
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Denis Kirjanov March 28, 2024, 11:22 a.m. UTC 
call to ib_device_get_netdev from ib_get_eth_speed
may lead to a race condition while accessing a netdevice
instance since we don't hold the rtnl lock while checking
the registration state:
	if (res && res->reg_state != NETREG_REGISTERED) {

Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
---
 drivers/infiniband/core/verbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Denis Kirjanov March 28, 2024, 11:24 a.m. UTC | #1 
On 3/28/24 14:22, Denis Kirjanov wrote:
> call to ib_device_get_netdev from ib_get_eth_speed
> may lead to a race condition while accessing a netdevice
> instance since we don't hold the rtnl lock while checking
> the registration state:
> 	if (res && res->reg_state != NETREG_REGISTERED) {
> 
> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")

Please ignore, there is an issue on error path

> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/verbs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
> index 94a7f3b0c71c..aa4f642e7de9 100644
> --- a/drivers/infiniband/core/verbs.c
> +++ b/drivers/infiniband/core/verbs.c
> @@ -1976,11 +1976,11 @@ int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
>  	if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
>  		return -EINVAL;
>  
> +	rtnl_lock();
>  	netdev = ib_device_get_netdev(dev, port_num);
>  	if (!netdev)
>  		return -ENODEV;
>  
> -	rtnl_lock();
>  	rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>  	rtnl_unlock();
>
Eric Dumazet March 28, 2024, 11:24 a.m. UTC | #2 
On Thu, Mar 28, 2024 at 12:23 PM Denis Kirjanov <kirjanov@gmail.com> wrote:
>
> call to ib_device_get_netdev from ib_get_eth_speed
> may lead to a race condition while accessing a netdevice
> instance since we don't hold the rtnl lock while checking
> the registration state:
>         if (res && res->reg_state != NETREG_REGISTERED) {
>
> Reported-by: syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com
> Fixes: d41861942fc55 ("IB/core: Add generic function to extract IB speed from netdev")
> Signed-off-by: Denis Kirjanov <dkirjanov@suse.de>
> ---
>  drivers/infiniband/core/verbs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
> index 94a7f3b0c71c..aa4f642e7de9 100644
> --- a/drivers/infiniband/core/verbs.c
> +++ b/drivers/infiniband/core/verbs.c
> @@ -1976,11 +1976,11 @@ int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
>         if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
>                 return -EINVAL;
>
> +       rtnl_lock();
>         netdev = ib_device_get_netdev(dev, port_num);
>         if (!netdev)

This can not be right, we could return -ENODEV whild rtnl is kept locked.

>                 return -ENODEV;
>
> -       rtnl_lock();
>         rc = __ethtool_get_link_ksettings(netdev, &lksettings);
>         rtnl_unlock();
>
> --
> 2.30.2
>
diff mbox series

Patch

diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index 94a7f3b0c71c..aa4f642e7de9 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1976,11 +1976,11 @@  int ib_get_eth_speed(struct ib_device *dev, u32 port_num, u16 *speed, u8 *width)
 	if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
 		return -EINVAL;
 
+	rtnl_lock();
 	netdev = ib_device_get_netdev(dev, port_num);
 	if (!netdev)
 		return -ENODEV;
 
-	rtnl_lock();
 	rc = __ethtool_get_link_ksettings(netdev, &lksettings);
 	rtnl_unlock();