Bug 264473 - uverbs: Fix a race with disassociate and exit_mmap()
Summary: uverbs: Fix a race with disassociate and exit_mmap()
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: Hans Petter Selasky
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-05 12:38 UTC by ruc_gongyuanjun
Modified: 2022-06-21 09:34 UTC (History)
2 users (show)

See Also:


Attachments
a possible patch (1.38 KB, application/mbox)
2022-06-05 12:38 UTC, ruc_gongyuanjun
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description ruc_gongyuanjun 2022-06-05 12:38:09 UTC
Created attachment 234462 [details]
a possible patch

If uverbs_user_mmap_disassociate() is called while the mmap is
concurrently doing exit_mmap then the ordering of the
rdma_user_mmap_entry_put() is not reliable.
The put must be done before uvers_user_mmap_disassociate() returns,
otherwise there can be a use after free on the ucontext, and a left over
entry in the xarray. If the put is not done here then it is done during
rdma_umap_close() later.
Add the missing put to the error exit path.
Comment 1 Hans Petter Selasky freebsd_committer freebsd_triage 2022-06-17 17:48:48 UTC
Need to check this a bit first.
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-06-21 09:34:18 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fc6a635220fdd8a0a29de0a985a4a0c3a6890fd

commit 9fc6a635220fdd8a0a29de0a985a4a0c3a6890fd
Author:     Hans Petter Selasky <hselasky@FreeBSD.org>
AuthorDate: 2022-06-21 09:23:55 +0000
Commit:     Hans Petter Selasky <hselasky@FreeBSD.org>
CommitDate: 2022-06-21 09:33:27 +0000

    ibcore: Fix a race with disassociate and exit_mmap()

    If uverbs_user_mmap_disassociate() is called while the mmap is
    concurrently doing exit_mmap then the ordering of the
    rdma_user_mmap_entry_put() is not reliable.

    The put must be done before uvers_user_mmap_disassociate() returns,
    otherwise there can be a use after free on the ucontext, and a left over
    entry in the xarray. If the put is not done here then it is done during
    rdma_umap_close() later.

    Add the missing put to the error exit path.

    Linux commit:
    39c011a538272589b9eb02ff1228af528522a22c

    PR:             264473
    MFC after:      3 days
    Sponsored by:   NVIDIA Networking

 sys/ofed/drivers/infiniband/core/ib_uverbs_main.c | 4 ++++
 1 file changed, 4 insertions(+)
Comment 3 Hans Petter Selasky freebsd_committer freebsd_triage 2022-06-21 09:34:55 UTC
Thank you!