RDMA: Stability and race condition fixes

[PATCH rdma-next 00/10] RDMA: Stability and race condition fixes

Edward Srouji posted 10 patches 1 week, 1 day ago

Download series mbox

drivers/infiniband/core/addr.c        |  2 +-
drivers/infiniband/core/restrack.c    | 20 ++++++++++++++++----
drivers/infiniband/core/uverbs_cmd.c  |  9 +++++++--
drivers/infiniband/core/verbs.c       | 21 ++++++++++++++++-----
drivers/infiniband/hw/mlx5/qp.c       |  6 ++++++
drivers/infiniband/hw/mlx5/qpc.c      |  9 ++++++++-
drivers/infiniband/hw/mlx5/restrack.c |  3 ---
drivers/infiniband/hw/mlx5/srq_cmd.c  |  9 ++++++++-
8 files changed, 62 insertions(+), 17 deletions(-)

Expand all Fold all

[PATCH rdma-next 00/10] RDMA: Stability and race condition fixes

Posted by Edward Srouji 1 week, 1 day ago

This series addresses several stability issues in RDMA core and the
mlx5 driver, mainly around use-after-free conditions in resource
destruction paths and race windows in concurrent create/destroy flows.

Patches 1-5 fix a restrack race window affecting QP, CQ and SRQ
resources in destroy flows.
The core problem is that rdma_restrack_del() was being
called at the end of the destroy routines, leaving a window where the
resource could still be looked up via netlink after vendor-specific
resources were already freed. Two preparatory patches lay the groundwork
followed by three fixes.

Patches 6-7 fix xarray race conditions in the mlx5 SRQ and DCT destroy
paths where a concurrent create can reuse the same firmware object
number right after firmware releases it, causing the destroy path to
incorrectly erase the newly created entry.

The remaining patches are independent fixes.

Signed-off-by: Edward Srouji <edwards@nvidia.com>
---
Edward Srouji (2):
      RDMA/mlx5: Fix UAF in SRQ destroy due to race with create
      RDMA/mlx5: Fix UAF in DCT destroy due to race with create

Maher Sanalla (1):
      IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg()

Michael Guralnik (2):
      RDMA/core: Fix rereg_mr use-after-free race
      RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation

Patrisious Haddad (5):
      RDMA/mlx5: Remove DCT restrack tracking
      RDMA/core: Preserve restrack resource ID on reinsertion
      RDMA/core: Fix use after free in ib_query_qp()
      RDMA/core: Fix potential use after free in ib_destroy_cq_user()
      RDMA/core: Fix potential use after free in ib_destroy_srq_user()

 drivers/infiniband/core/addr.c        |  2 +-
 drivers/infiniband/core/restrack.c    | 20 ++++++++++++++++----
 drivers/infiniband/core/uverbs_cmd.c  |  9 +++++++--
 drivers/infiniband/core/verbs.c       | 21 ++++++++++++++++-----
 drivers/infiniband/hw/mlx5/qp.c       |  6 ++++++
 drivers/infiniband/hw/mlx5/qpc.c      |  9 ++++++++-
 drivers/infiniband/hw/mlx5/restrack.c |  3 ---
 drivers/infiniband/hw/mlx5/srq_cmd.c  |  9 ++++++++-
 8 files changed, 62 insertions(+), 17 deletions(-)
---
base-commit: 6edef31ef9004ed51624246a04f7f81112f485b0
change-id: 20260325-security-bug-fixes-6fdef22d9412

Best regards,
-- 
Edward Srouji <edwards@nvidia.com>