Commit 0b28000b authored by Edward Adam Davis's avatar Edward Adam Davis Committed by Leon Romanovsky
Browse files

RDMA/nldev: Add mutual exclusion in nldev_dellink() 



We must serialize calls to nldev_dellink() or risk a crash as syzbot
reported:

KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
Call Trace:
 udp_tunnel_sock_release+0x6d/0x80 net/ipv4/udp_tunnel_core.c:197
 rxe_release_udp_tunnel drivers/infiniband/sw/rxe/rxe_net.c:294 [inline]
 rxe_sock_put drivers/infiniband/sw/rxe/rxe_net.c:639 [inline]
 rxe_net_del+0xfb/0x290 drivers/infiniband/sw/rxe/rxe_net.c:660
 rxe_dellink+0x15/0x20 drivers/infiniband/sw/rxe/rxe.c:254

Fixes: a60e3f3d ("RDMA/nldev: Add dellink function pointer")
Reported-by: default avatar <syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d8f76778263ab65c2b21


Tested-by: default avatar <syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com>
Signed-off-by: default avatarEdward Adam Davis <eadavis@qq.com>
Link: https://patch.msgid.link/tencent_611BEB4B141B1A2526BAA3BBB2335F9E9108@qq.com


Reviewed-by: default avatarZhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
parent 5d691905

drivers/infiniband/core/nldev.c

+3 −0
Original line number Diff line number Diff line
@@ -51,6 +51,7 @@ 
 * a controlled QKEY.

 */

static bool privileged_qkey;

static DEFINE_MUTEX(nldev_dellink_mutex);



typedef int (*res_fill_func_t)(struct sk_buff*, bool,

			       struct rdma_restrack_entry*, uint32_t);
@@ -1846,7 +1847,9 @@ static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, 
	 * implicitly scoped to the driver supporting dynamic link deletion like RXE.

	 */

	if (device->link_ops && device->link_ops->dellink) {

		mutex_lock(&nldev_dellink_mutex);

		err = device->link_ops->dellink(device);

		mutex_unlock(&nldev_dellink_mutex);

		if (err)

			return err;

	}