From nobody Mon Apr 6 23:16:26 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013068.outbound.protection.outlook.com [40.93.196.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FD62317165; Mon, 6 Apr 2026 09:11:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.68 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466704; cv=fail; b=V0G0zpt8npuDkX7SJQ+gg8MNe8sWgx1SgfJwhYo78WBLWiKnKxTVU6aLKWBHgkwjXym0Ui9e4G0ikWrkH1tSKqAYWI1xQ1F/5lMpALc5NaDKCjT6pncaYFshcMPpM7MtgBxhVwG01UzKiXchBunx4qnuOcI8BlvuBluy0MMNCKI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466704; c=relaxed/simple; bh=6H/CzLHFboiN5aRfvcuHGsDkPb+QLlbXjGJuB4jtRUI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=UYBfBP0iA2/g9hmk3fHgrJstsBBpzYolFSwlNppR3d1UldtcyNrYTxl86zrQebRoe5Sbcn/bsClXg0vsK5tEkprk5oEyonpuN64VN8wPsjrI8feZ6Q/iRYZChdwict8Lqfwc+TKk1V2RZONQ2RkfZj2I45hVJF3qABhNtdjFGaI= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=RwOENUnq; arc=fail smtp.client-ip=40.93.196.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="RwOENUnq" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nIGLahBNFZ2SSTJbQePwIpmdaHpUUURrWVjq8OOvjdWBD0F7h7BLSUlDesMQu58orIe68V3jGw5UpQjjahr16Bj/ZH/3kdmYCerqfLVZMae3Y2TQcwRKUHBMH5nM3e9GXhEsU0pRoBD2lDuwPqhV8zl9W4rmndnM9IaFGVWelkGhxDhIqaHDn0fqCz+mNHWKRJwZzrKKM6z+g8Jum6ybjel1umoJQUxi+/eAIf39wDpRi+O6WfF05yupFvZC9yyaRBN/Bs4mzFLIZROe7wwcopQTz0Pk9lbtI00YcwKz3IiuP+YOT7bt882axjt/Mz2B0D2sZ7xvo9mV9ISFCPwCIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xwplSS1KMnMSzQ4V5xp4TgLA63kFrlOfesFAYVtgRoc=; b=wCEgW08uYixldBAsibOUwIi/MJU0IGSyvSboLz+Qb3eel7CE3FL5TEVr/3Ule5fQZNbTCFRrfsilQ8QylU5JHiLyROQiMQlL784a8FSdVKkfMZhf1NMINAmJU6xc8uTagd9hjIHQ27AgHF25yW9vTXHxVzaOoo3+Jl6nIDqWYGsY0pWabhyQWNCkegR3fNGMlzjWgFedUojpAjSiGXOf9lH2bm/Hj9nraOMXDoHj7ODkNPGYMmimFL/nCBKXRxVMU6q06m645nElN1qzainVHbL2zU3YebW2IkzWPmqhJXEWyIHble264wO5RuNO49O9vYCuchyi1qWUAicrbzJh3g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xwplSS1KMnMSzQ4V5xp4TgLA63kFrlOfesFAYVtgRoc=; b=RwOENUnqoZBvHerSOA1pS3rEViQblebFMkpQEGXmkqXhqDDVS+AtDmbmnRJSjNf8qAvuR5bAtVxmPmUzQYAkxz9ZLW0HSMV5uGEPbtrNlJIRm05bX6j8libCYsGL/NxvR86iZvwphfcu4zcfRCp35nldbDd5lzdtP1MVAJj3CNrDKjTpNjOQJ7xHQO8UYSU+CNDDH7ow7aFAzGjBhw9Cx882emDUs3GbyDe0GSRSqcw66cj9QEYXz5BFOYitOK/RjQztNBm1bPptck5Yk6HVV9uht2lDjbQPJ2uUdE2PFg5bk4qbpjPMK/F4mZrMAxmKOgSS2IQ2yBeBPT8Eqn2RMA== Received: from BL0PR1501CA0024.namprd15.prod.outlook.com (2603:10b6:207:17::37) by SA1PR12MB999084.namprd12.prod.outlook.com (2603:10b6:806:4a1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Mon, 6 Apr 2026 09:11:40 +0000 Received: from BL6PEPF00022574.namprd02.prod.outlook.com (2603:10b6:207:17:cafe::53) by BL0PR1501CA0024.outlook.office365.com (2603:10b6:207:17::37) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:11:42 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF00022574.mail.protection.outlook.com (10.167.249.42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:11:39 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:27 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:26 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:23 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:12 +0300 Subject: [PATCH rdma-next v2 01/11] RDMA/mlx5: Remove DCT restrack tracking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-1-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=1983; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=JdRkUYRq0pIWwuMSpYFF7BClsUMppMUSBJcSiThyysk=; b=0vieZ7tQ604hpsCy/8LbWyB+F7Ph9Gu/HynECWZ3O9c0tyrWejHuRPEZpIe7/2IhNjOxcC6/b 1Wbj6uv8p6ID9bqgP/QhNa8R1fYpp6Tm37jf5uk6sqgnm/CR9NwQwPN X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00022574:EE_|SA1PR12MB999084:EE_ X-MS-Office365-Filtering-Correlation-Id: af9a16c5-c0f2-4309-0861-08de93bc8364 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|376014|82310400026|921020|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: qGmaZxDmKNZrQO+II5NgUP9MLBjfwuTT9quwTvGTnsWXzlrRhGbCqL4Uf6g8P/PQM9z/cT9ayGUHOiOX1eQBfvO4KfDFm28Lge/+WFN5vOnHgA9bXQ2Uy7YLk7JL0IWVNYVTMMTLLcyKcTnwIALEESn0WLD7KvMRUn+kMUjb/WkdeB4P4CmUcYURx+RpHTv0vTsbQMdpUZBAXSaRxjGlXTVEHkBuvc3TrhfdaNge+1l1oJ/GYpst/7Nke//paaefAznhU1IR9g4GZ98w8iwhfvX2JOO65eU/GYpCh4AHu8NooZ5/btCwLjrc0Q9+3GvNotxkCKzpm5FxispDQlinAbp2T7/QX3YAHc08G9FqrarB8/osqTcaW/Cb5OaEQGkQVykxr9oiVSL6f4yqXXnU7HEdQLi+4cT31y1wWSJu7pvBUSyNEKFlQs/WhirxkNMUGLjmkqPdqH0nBCUSpY/1Pr9isPU0RWXfmjivgtY9Xwd2YBdw6QiVpYKsgDi1qaoNvFPXvcWXnCfR6mCz7Zl3HDX40yG0JV6dNepJyDBj2Ufg3XqzBhLXJR+4GFwQNpmg7eTE588IHaz5+hiU7Z/zX7yYr0aC1JBn6T8NDndSy7bumAYepdVjz+vDSKJrd20Aal0ewCIcR3W2eUmHz4KQG/T/atFcgJMX0JLfU5R8CYmlMEpxgaVtavPYSuZVuWxcG8G/T34Gb1nweKhYCsF2Ue8i9k6hpulQ3y4OkXeoK1k/79goF/CIypC8H6T8ZJUG2yQxqTX7KdsGmHB1ydjX9kY8Bo+I41t74CcRr3N+qHl10P3tUcnU3kHFwWyXlcjX X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(376014)(82310400026)(921020)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: pgV4HnszFR2FERDEirFphGgN64TW5ybbol6PoYgyQ7fFLa8pj7VVQLuochTCLPN3lvKE9AmkbOYO7/100iVR9k1kf1fczS2+eJ4wx+/MBmmeBtkTNTe6c9oeYTbX/frLiU32qehxfIj0w1nJvL2nMCHXdtnuyhtxV9GX3sRNBAwyZfe3HzA/HfsZJ88VGg9MOco0A9noJ5OCvP0nrImwoOijqaURZFTtU3GJK4tMnpvN4InhlAv8HkEtPe2lTbef3Hxd4UDeRYEOtDVYo+u7aSpS9o2oUV95Gvey9/IAUhn07z//A+aOSqn+6BHy2rDdQq/8tNtgNi1jAJJZ07DMUG3KLPfssIXMm3S2VcBxDj1DkBKxehmQW+EccJTTXjDgPg3TNVOMhCak9LSaeCThilZF5E77YHkFf5VQrPaTh9ljQX5vM3a2z+DFbFL6/jjm X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:39.8868 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: af9a16c5-c0f2-4309-0861-08de93bc8364 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00022574.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB999084 From: Patrisious Haddad DCT restrack tracking wasn't working to begin with as it was only tracking the first DCT which was added, since at creation the DCT number isn't yet initialized because the DCT FW object is only created during modify. The following DCT additions were failing silently. Remove DCT tracking so a later patch which WARNS about restrack addition failures doesn't WARN about it. Fixes: fd3af5e21866 ("RDMA/mlx5: Track DCT, DCI and REG_UMR QPs as diver_de= tail resources.") Signed-off-by: Patrisious Haddad Reviewed-by: Chiara Meiohas Signed-off-by: Edward Srouji --- drivers/infiniband/hw/mlx5/qp.c | 1 + drivers/infiniband/hw/mlx5/restrack.c | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/q= p.c index 59f9ddb35d4620737980b2bc2179e0a11e6be29f..c54e7655763844b10943e12a704= 31da291c58b8a 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -3110,6 +3110,7 @@ static int create_qp(struct mlx5_ib_dev *dev, struct = ib_pd *pd, =20 switch (qp->type) { case MLX5_IB_QPT_DCT: + rdma_restrack_no_track(&qp->ibqp.res); err =3D create_dct(dev, pd, qp, params); break; case MLX5_IB_QPT_DCI: diff --git a/drivers/infiniband/hw/mlx5/restrack.c b/drivers/infiniband/hw/= mlx5/restrack.c index 67841922c7b8770c86fb5a47588e09560d0004f5..00a9bcb2603f0b094bcef8a4ffe= 6564699a85769 100644 --- a/drivers/infiniband/hw/mlx5/restrack.c +++ b/drivers/infiniband/hw/mlx5/restrack.c @@ -178,9 +178,6 @@ static int fill_res_qp_entry(struct sk_buff *msg, struc= t ib_qp *ibqp) ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "REG_UMR"); break; - case MLX5_IB_QPT_DCT: - ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "DCT"); - break; case MLX5_IB_QPT_DCI: ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "DCI"); break; --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11012070.outbound.protection.outlook.com [40.93.195.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4ACF031E107; Mon, 6 Apr 2026 09:11:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.195.70 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466711; cv=fail; b=QkpJtIUqlYUfRUEqYdniRfkCJM9e2p6Eo9izbJVdkw73GsmRoyovkmbdSPATAhAjvFnbXR2be58k9zqF2vUTfxHO1Lb1EZVwHhA8bOspFhLSsEh4aiRiZPbrMI07SvDK/xLTtxtmaq3yOLti5m4J839UGHxzc6aH7vzmyuZuUqk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466711; c=relaxed/simple; bh=8NzoPIweU0aXMY3QofGsC+56iuNTl86+BMC7GUySLQE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=pGGf6Uk6/FG+8YpsyOiM1k5iSa3bcLUuD7olQBzWyrG4hUfhO0LTxCLFGpKzFWPAvdNvEckntZt1I3TjNaaDi9HK4307lX+Gg8r63TRWtGaGPiymvYSxEuVHa5hAYczymboE/KUJPgFY2RxPg4YZ4dmdbEku3Xj2p6AKXC+eauc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=kdQbyiQH; arc=fail smtp.client-ip=40.93.195.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="kdQbyiQH" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=p+x+lGuff1KBX9cnEvpKXE+YZZ5viwYOmsLcNWnB90CPODPf18cnpkx27wVMDETSSasYbPbdg+74dCSVc5mNpU5v2Dow3bwGAf6PwDNujH4rZJz/C1tU72ZI2pbFn6okG0nczkbpfvPO7M8DizcdlM6P0nfb15ltbqHUXBy81V0j0hlg+UBLzTWiS8fXXgRbk/zHT/pGnj25rPwP8MqXxIkKl74gvC4NjmHmUvGz9lRhP/bQbgXvcL8Gk5HtVhGVs3rrtFHZO8HRiH0USb066BDQsInFLmx4XlYo93gTDR3jCcLnnWsUrjwTm8xLqevDZ0UqTVXckgwu95XVN8wzWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Fi9O8PCxr66le4OCF4pQgoClXNiuHSFSXI8ayytGkYs=; b=enVGLI5S5Tgi1Zi+Kg/gSZZIkCiOXAdYgcTyrXICiy+1xOIdTAuT2Lt0oQ7d/IrjXPQsvSIirDc5iTOsdbi3GZ88nnB3SbZqJaMZ2cmwtBp0nWPQPYfjPONxKu8Rafs8vHq2cS4mn0ZO3EeC9WgdD14awRnoO5WmJ2+GycS3ZrMOmuQb7/wbgXEDfQeWHfa5g5bS9Q8Dd6VyvgsOK4/shilba1u0DKI03j/Fzdct0GQch0Y4N/B7xFd7R/DjrF2f7FNgYd3wfly1YPKLoVZ/hKzP4EA6VQAbuCoBSiI2LRauV38y7f47rMnIJsALYIw1H5LMd+ezLeOmO1LFBhT6Fw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fi9O8PCxr66le4OCF4pQgoClXNiuHSFSXI8ayytGkYs=; b=kdQbyiQH2swmb4pWi7snjPzeoZ+PF5WEQPipgMmuzd5MxBVkITotLkBKNS80Tp66uQUEJVNkVR7wJVsM076KJIimDwy1YzdMYb8iy0yDthRpkTpFxaKvyZ1VMuhRG3hfyIWqVdH7Lqg8BcMMRmoez6mkXPbLyJSgcBiLN8iIBdk+Ox5xcZJmumSkWzzS7rtpMjtAiqlnA4t9+Y8J5u2G7XUd/6vcAGtnBVG6Fa3S07agzXlAWD4gZzhpiGwZ4ct7ixw2b6NpASZsWMkf/3FmQkVNdvzzEMMET6CpeBKmzYTx1YGz4uhVU2hmYQ/eQqXBOiqSyDyOUnKCTFEf1NJ1Vw== Received: from BL0PR01CA0019.prod.exchangelabs.com (2603:10b6:208:71::32) by DM6PR12MB4185.namprd12.prod.outlook.com (2603:10b6:5:216::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.21; Mon, 6 Apr 2026 09:11:43 +0000 Received: from BL6PEPF00022575.namprd02.prod.outlook.com (2603:10b6:208:71:cafe::ce) by BL0PR01CA0019.outlook.office365.com (2603:10b6:208:71::32) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:11:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF00022575.mail.protection.outlook.com (10.167.249.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:11:43 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:31 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:31 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:27 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:13 +0300 Subject: [PATCH rdma-next v2 02/11] RDMA/mlx5: Remove raw RSS QP restrack tracking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-2-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=1265; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=GR51MqDuerkWliBLJ+S2gJCb+sD+W3iDTE8IzL/1NZQ=; b=XjzMb+GPMmGJYbZTkGxKU9fUnSRx1i8+AIdrx7plBb5hgDz2huhV4R/9o8+dcI+JawkWDH9qE XRndnnILQvtBvJwCv6bq5sLPY2ub6/cPyWSdb7nu+lRxf61VT/6sOZ5 X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00022575:EE_|DM6PR12MB4185:EE_ X-MS-Office365-Filtering-Correlation-Id: 45f37c62-1e7a-4091-cf9b-08de93bc854d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700016|921020|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: puEHeZPCJtj842WErygHOSi8IrIk2yXzmUidHm5vMQDe5VBceXte3GiKnWuC+0IOpViUpgkHywiV7RRS4pXFlOVHl51nt04GdBVN+HD1tRp523wdQU6dYZR8mFzPzvEFYQYGyFdb1y1sWOy/DTEgxg/dmtp8PmeF1CtjUTgARCfDavqKJju88DcmRJJZM8TzK6Tvdn4GGkKWU/TGOzIRlptBMtIVmQKsaYAQeE0gcxBomsnmthhrrUjhXxp8EmBV0DjfIO8Gbbd/GVjrDCkXXsDD8eys/53x3n7/8iBbnaZfLEaFTeF4RZ/FIh7iVeg/Lrcr5/3UurERgpHF2kgrE6USXoZKo+YZSS4DkqNhwxsSUi99zkHbEg7xg0jZ7qDR+FGYLZ01jV5aqRcVj2H0sWL55KmDmfCW5sogiQMZYDboxJl89etze11YjBDMem1Yu4yzw4/Wu0kBqbAKIcpqptlIo6IZbWZxgNSBxZPTxneccx0YNkgFfZXUIaNRXhN+nCvJ3jCJq1sKK6mH1jnIIAMieomLslurQuiwEMhReMwjOMu5KwJVYg3KpZjfHIdxEOa5ur9cnvEdClPtByQ6EbHSmEpfuYyiAdwPUhEc20JOx7ct8Xe9G6RAmzM+zBFLylz2HG74sxtaz882UZ5KgHF1XgYAgFOwlTod13Xx/RIVeO8WPuUE/V0lH5Y4mjsVkAcCN8HM0xmE8B1tIgl19HCwBNxTSQCfnrNaaY5REltAgScBAGpoXNCuL1EHEiiHZg1gZwMv0K8QxjUHmbQH0JYyB+kpzqYVpkXdUvxavVG6NBlPp1zGPnrFMsFGrEXL X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700016)(921020)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MjPi1wq2CGA8SZnOWg3q7dAOF5av2gIIrToWohPdn7jkn6qMC1Qo0gNhq5tD9bGiifNuCsh6iFX3oh7lHfrlwZlAS2NJTFUNjojWYsIfwCHuisOyhPgC3rsMBTGWDPMH6m4kQSfPhsMK71XX032nfVIEHZ4mp9r5en62OI3uVdvQ0KcW8fJ2ruW8ithH1vpK61I9EdgPrgXabq4tAg86Azr08xy7hesIUrOACsC7D1WnQYScx28YHq+64pScCST22/gwQT1HLsNHFmyOa4m5+uaGr9eVjVRNd8D2fkLBLMpGk3MxuBkig3GYlN08YOhfa7fuohQJmf8SGtedDetxBtCzAWzP7c0qqKr1M58AuXEvZlZB2ZimRzJgnI9TQO4BK3t+kq/5ZVtvjldD+CfbelezICh/AySLAdFJHdPKqnhTJM+rBtuykOrbM7kyY79G X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:43.1070 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 45f37c62-1e7a-4091-cf9b-08de93bc854d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00022575.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4185 From: Patrisious Haddad Raw RSS QP restrack tracking wasn't working to begin with as it was only tracking the first raw RSS QP which was added, since at creation the raw RSS QP number is reserved so the QP number for this qp type was always zero. The following raw RSS QP additions were always failing silently. Hence remove the tracking for the raw RSS QP, support can be added later for it if needed by using the tirn for tracking. Fixes: 968f0b6f9c01 ("RDMA/mlx5: Consolidate into special function all crea= te QP calls") Signed-off-by: Patrisious Haddad Reviewed-by: Chiara Meiohas Signed-off-by: Edward Srouji --- drivers/infiniband/hw/mlx5/qp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/q= p.c index c54e7655763844b10943e12a70431da291c58b8a..69914406156c448e9f1cafbc816= 5d04e120e36bd 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -3104,6 +3104,7 @@ static int create_qp(struct mlx5_ib_dev *dev, struct = ib_pd *pd, int err; =20 if (params->is_rss_raw) { + rdma_restrack_no_track(&qp->ibqp.res); err =3D create_rss_raw_qp_tir(dev, pd, qp, params); goto out; } --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from CY7PR03CU001.outbound.protection.outlook.com (mail-westcentralusazon11010022.outbound.protection.outlook.com [40.93.198.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F29A31D375; Mon, 6 Apr 2026 09:11:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.198.22 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466710; cv=fail; b=cVNdzjhdDoU25ra5DGCM2UG6tLT8NV8gt9lPqLnLsj2u3pqRQxaaoo8niiSvG0RCxdZPGZfoPhTyrYRi6mLT8O9l6vT9oprXivVbDNZbxMAXNrwp0oMHp4VJEXN5M5QShTPTKvwvVFHwPKMelVFjiIO4WT4PX3Y0R2ZDQ6vxz0w= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466710; c=relaxed/simple; bh=OCtn3qnFkvcS1A2WnTDmu+NuoqV+KXROwIZrCpgvH0g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=JA0AG30pZS9UEC3OvdMVQmh4zp2vKW49EkMsm4BjNwBsLcM30By5a7fxPyBQDnGPmIgdm1kPey4WnTj76sMHecTr+OFKEhIXSPEuvJOQcK1xqozNP8DzJrUOGujoLTDNAxwOLXvCNzvKjQOTG0kl6q3Yi7Qx2m3j8/JipjrRsxA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=Xj1lZXg4; arc=fail smtp.client-ip=40.93.198.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="Xj1lZXg4" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=p1Q1AHp97spB2IKvrdNlLr+llm0b6cYHpXBE98VxID+g00VXaC0XfqF1ZheG5fgpy/dQ1en7PXaJZxGU6xa42/nE1S/Z3PYoiYdJE1BdMdtIyH2yUsR6lbZMuWF/VmsH/9s0wh/MXhMLIR5YFoI3lYTuvzIFKMt5MqmOTc1/EX9AjuxjxDfxWCHr6Kl3uprZ5xSHyJyvt/APwfnqBAF05VkgX//KlEWEbDudVv+TtRzalRfEwQ2sv+7KUlKCCMleFc4xqkS+8pFiAjinICsPL0GrktMh0KWNnpweF+is64CDtMtl7Via7fyS9x+mYw0P3dUycZejjvT0Col+RyZVIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rvC0+BWHcKnZIlg4ICoBk8kNOqzkSfYdpvx/S9m/RZQ=; b=eobTczzm9DyegbWsETxS+obfiDKVAqn6HIMAUOjjKdeVCWsXAArKMDJ0PFQgX1z7Iq4eXQrQh2n0cBoIG1qu/3HIWa21vIrHIyyfwaSQg9fl+gDO90KPeTrtSloK1uwg5W1kVyjYxBJftLynkyKuKn+3HK9UK7v9dPpJaTHpdRDQRSTgJmyoeLbvT0h5uOotAL5IfocellhQAZztbrD9JVXTHKokPs6i47Un0NLDR+oL98EIFzFo4VPuCTXak652k9oOqxzs8mJO+neGpc6lw+rDTQ+FVUHKX5UOLBhHwgeId3DYsvPDNwrKlyxjOD3inxSaRdDFg7ZFPDkIHGeUkA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rvC0+BWHcKnZIlg4ICoBk8kNOqzkSfYdpvx/S9m/RZQ=; b=Xj1lZXg4raddtSQMpcmnSV44EVPi3VVSe1nqEH/u6MN79sdw+h10WTcxLEbgND98IspRJSU4xMhDMAezng1CiW2FrRjs+w3KVtWhZBGfptoKrezzGy/PlRkvvGlj5CjphhDwsjZ6IHmm1ZJQ9MUgnvi1dGxktYbt7QI4psJTvPZDhobZtHQoYLO2TVwyKDNRqjsoXadHqtR7lBtpDOnGZNQedtPTm5fJ/pEiooyliqSofWI+rX3iPNMy2mQjI6nrPNzyhKVOiWfTBe0/PEVETTMLE7T5jd7OKr4otlhBHG1BZo37G7Q65AGGnZF8afsYmUwBDl5HN+YJgNvhR6sJMA== Received: from CH2PR12CA0026.namprd12.prod.outlook.com (2603:10b6:610:57::36) by DSWPR12MB999153.namprd12.prod.outlook.com (2603:10b6:8:36e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.18; Mon, 6 Apr 2026 09:11:46 +0000 Received: from CH3PEPF00000017.namprd21.prod.outlook.com (2603:10b6:610:57:cafe::37) by CH2PR12CA0026.outlook.office365.com (2603:10b6:610:57::36) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:11:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CH3PEPF00000017.mail.protection.outlook.com (10.167.244.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.0 via Frontend Transport; Mon, 6 Apr 2026 09:11:45 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:36 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:35 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:31 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:14 +0300 Subject: [PATCH rdma-next v2 03/11] RDMA/core: Preserve restrack resource ID on reinsertion Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-3-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=2282; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=gcx/gxokEE4A3sI5jvtz8aq2s339e2gUf/pCqpu6bsY=; b=OBMofc/oGo9BrYNZ82pLhprPTt60ScUWJ+Mj6SHpPgi27D/LY9BotKZghkURdE0sClDIfM6et iyez3TkqK1cBzoq87Pdm+9KuNxZVt0Ntq8QPuoHG9UvrBsW+hRD2VZ4 X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PEPF00000017:EE_|DSWPR12MB999153:EE_ X-MS-Office365-Filtering-Correlation-Id: f783789d-a58c-4283-335e-08de93bc86ea X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|82310400026|376014|1800799024|921020|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: R0Ac00/EZt4M7GWBt0Y+D9vknx39UUlm37yo88aX8XCsZRSnGpVXTJ8+aSy5PBK6Vj7jgTAnM8+e97OciOUtrpPR2XDtOJRy0YMrAHz/XIDm+mfXOHKOUZdrIgS6buZzVIkc+kdi0RwX6eXZBBDMI2NfNVjPZOLswHSqY9y76ClWIoopS1fL1Q3wsAFvSML1y/zh+qFRrR0Gu09SGP0jjOeLNjOjFNOKGAlJUs+wkHY8WXvFQBO66fnXMYMeZvd+0hC9g0/kVh6EMmxxe7k1TTJGqJfJnpagS4QammzBGzuBm6Yj65LadIp8ou/SFD/fb+xFzlZSGdWwd21hkyLLCSKecHf3Ya/NVJvaWWMBTcFsx0Ols4fY24NJQMuMPU8Q331OSjmzvGvdod4peUg1/U4Kk6ejspqi1pRm6OKmVhcw/wIuhnOm5YnNQ96xgHLeUid2zfJo2tAFRJDZOzjwlQMPH9foHBC5Ia7WmnywuPDI7nSvPtonVKfYndsbH/9t40SHNJxlKi+YiHlx3VUL74HdBSagQnGwcNSZepgg/6UyT1YRKd/Xcfy4uuCcBEim+UGxWk7pvyIuqxkEsqaYBSqQ9nNgTmdDmTD3Cak2du+xAhXmfS4y2/GpX+xKl//hjDIhOMLbF+JiyGNHz8mgr5Fr34PAny4myhOfd97xZeuuwIGyE3X2AdF0dhh3irp8FRPsZ+k3tV0FLNdmhJHrMJrgjvWSsG0zn6UejsY4B7sOV0Nrh4bhfqCradFkuBEcTXdO3JmrlBfN1kIRQRJpTta6EBPpT5Wrp9/wou/yWiagJ1m6epFLLA9qb9pFE3R9 X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230040)(36860700016)(82310400026)(376014)(1800799024)(921020)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: npEZsrutb7QlSxtt6y4lgRgENZQoy2RGOCYC9H/m6LOYApmFfLWDaUwD6Gxku2ymbg8c9ZzzQAusugSIHNZAX3UMZaaep+4r1Tliro58qCpZ7VOKGoXfx6XIGjZ6VwRID+RCjaEXR8ung/vnVtKo/G0gN4CqJXksn9tQLoyzHhk3xPsIsUIdTAY082iZDD7ivzcHCtxxnyu53rJpjKuVpkyQXdVX6WXOKr29joyu59Cdbj/qp/g5gAC8aWMC69QxLOPG29eVPVwnaBCgF/n3wzXOE1O3uBD/g0mt26dVATIKeAGvyUiFU3e0hnzXTrrXJfNS28tc0kWTwt0SlFMYb+Mr/0cYXp5ImQxhT/CzKHQjv9Qqs12yO4rrKeFqfJcDYAEKhMnF0HlbHDFYCwQSc14FlUykZzAufJMDwJZ+Ov9i6gLTZXHWSvC/AGeZMTjz X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:45.8326 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f783789d-a58c-4283-335e-08de93bc86ea X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF00000017.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DSWPR12MB999153 From: Patrisious Haddad rdma_restrack_add() currently always allocates a new ID via xa_alloc_cyclic(), regardless of whether res->id is already set. This change makes sure that the object=E2=80=99s ID remains the same across removal and reinsertion to restrack. This is a preparatory change for subsequent patches in the series which will do rdma restrack removal and reinsertion. Signed-off-by: Patrisious Haddad Signed-off-by: Edward Srouji --- drivers/infiniband/core/restrack.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/r= estrack.c index ac3688952cabbff1ebb899bacb78421f2515231b..485e7357c90a5ff9660feac38a0= ec01c0deb0000 100644 --- a/drivers/infiniband/core/restrack.c +++ b/drivers/infiniband/core/restrack.c @@ -32,7 +32,7 @@ int rdma_restrack_init(struct ib_device *dev) rt =3D dev->res; =20 for (i =3D 0; i < RDMA_RESTRACK_MAX; i++) - xa_init_flags(&rt[i].xa, XA_FLAGS_ALLOC); + xa_init_flags(&rt[i].xa, XA_FLAGS_ALLOC1); =20 return 0; } @@ -71,6 +71,8 @@ int rdma_restrack_count(struct ib_device *dev, enum rdma_= restrack_type type, =20 xa_lock(&rt->xa); xas_for_each(&xas, e, U32_MAX) { + if (xa_is_zero(e)) + continue; if (xa_get_mark(&rt->xa, e->id, RESTRACK_DD) && !show_details) continue; cnt++; @@ -216,14 +218,24 @@ void rdma_restrack_add(struct rdma_restrack_entry *re= s) ret =3D xa_insert(&rt->xa, counter->id, res, GFP_KERNEL); res->id =3D ret ? 0 : counter->id; } else { - ret =3D xa_alloc_cyclic(&rt->xa, &res->id, res, xa_limit_32b, - &rt->next_id, GFP_KERNEL); - ret =3D (ret < 0) ? ret : 0; + /* If res->id is valid, try to reinsert at res->id index in + * order to maintain the same id in case of a reinsertion. + */ + if (res->id) { + ret =3D xa_insert(&rt->xa, res->id, res, GFP_KERNEL); + } else { + ret =3D xa_alloc_cyclic(&rt->xa, &res->id, res, + xa_limit_32b, &rt->next_id, + GFP_KERNEL); + ret =3D (ret < 0) ? ret : 0; + } } =20 out: if (!ret) res->valid =3D true; + else + WARN_ONCE(true, "Failed to insert restrack entry at res->id %u", res->id= ); } EXPORT_SYMBOL(rdma_restrack_add); =20 --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11010011.outbound.protection.outlook.com [52.101.56.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5D7131D75E; Mon, 6 Apr 2026 09:11:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.56.11 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466721; cv=fail; b=E/xSzHwtbR9WWbYRjx4BcscdgImBUpkQctu2/IkXdhW0b2kmED75VkS1CXoWJWDVjoKQ1iDHylHOnZWvcEyzXJmhbsn3YWzr28i4HY9BMpGlA406PyVT+e85WK+kqANMGYOHJ2vE5QCkaUnyhMI9ue3l07XTpfDq3giYp2zqu8w= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466721; c=relaxed/simple; bh=grM+h8GRDnOD4JjfMVxqh7PYok2VkVzxVMjVCs+8eHA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=t2s93snoVOjb+zZoqmAv32dDhMEtz9miIQGW3WC/NyIilkPhmhi/XEkemDMVrMMP/+VkFJcARXzBU+OGVe6KGE1yLALN80xK4mR8FQm7fzPxonMSrfkVxwvj7vv27KsMBBqY6kNX/DFxiZXoH5rS6yOwiiXDynk8PUp3JnZC2ck= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=O9civfjG; arc=fail smtp.client-ip=52.101.56.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="O9civfjG" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hPm30u6wCThPMcIrmrAp6shMbmwgOws68PMNr8lTiqCVclJjFPPO7WtjE8YUVNh5WuJUHMwjYuj96P2eburlddcIopHIGDgD3F0LvlCQ1nDfw5JGSdwx6T49fNlkhUkTyKE8ZozHnh7WrjD/RffIkheCuyGbMauFeGKQlPVgUQmA1cLg4jEeHp25FlABk0lQl4EgUfr1wPlnbe8peBRWXm8VrlzZfkRWPH1yHpzEaHLx9V1a+X6p/aaIMCFostXFIW4o3+5XPjACn7Wkm1xNtBUasAwB2PKSojkeJKWirYLUkPI/ssZgKX/Py/GeuoqiOjyJKA3SX3fp3NYJAl0HGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h8GRjYq//0NzG23dOsTx8zq9q1wRwikt2KBwkuzABrY=; b=Rnv7KKmOUtBNfhfXJpV+KPSIHGNVKRiMWfEKHYUxKFaDvHlqQqxK3ODPfhS29P1oTnOy7vgJg+yolkiGSrv9qgrWbFkFP/eeBAj78mXfuibPaCGZQQ5Vh19P75s8dr2kwuDSo1Un6yMc9/X8+GqNdWYOXPd+JisF+apBp0kpxA31NtpeLQD6HkDzQrR8L8oyvBWFuWYD2zb/0N2quspLG2ReyC3jRUZU2al1NS3aZHQtprhaUm4Fv4hiK0gkLhFL5qgAPxCNtI6MuY7DCQSN4jfv0M0yRcODWSO7gGkTf6DkneSmYeFjLaUjf/R93d51eWB9vicqoMiQMCE4fSnQsw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h8GRjYq//0NzG23dOsTx8zq9q1wRwikt2KBwkuzABrY=; b=O9civfjG+Ra/kvsEfrjFo4T+HS/wk7VQ9oWrTLG+A6QhXU9IHzukrWx/cgh/rTP5c6pEd1HNCby0vBbjBHLcI02q7VkwjhRAsaLVxuGjXJ1CrW4DUfqTz3nzIZA+65hkXOK2pFDpMIOX0+/0Z7cWi68gvp5gNV4g4caSTl7DZf4ibjwyjbqs3hqrpjRbOqXtikX7UTNdu2LO73TBMi9ZsrAEUwUcCtNTI8HYw2FfKOMWn/fRicfj3/JUDVBp6GA1vr3XIY/SZYjbxvbfcHQ4yaoDrlt/PnreV13Jo8OaQnk6Ew5EQu4fGlD1gUYGmEw6q9ZTJss3INw5WClfrrcM2Q== Received: from MN2PR19CA0067.namprd19.prod.outlook.com (2603:10b6:208:19b::44) by DS2PR12MB9638.namprd12.prod.outlook.com (2603:10b6:8:27b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Mon, 6 Apr 2026 09:11:54 +0000 Received: from BL6PEPF0002256E.namprd02.prod.outlook.com (2603:10b6:208:19b:cafe::2b) by MN2PR19CA0067.outlook.office365.com (2603:10b6:208:19b::44) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.31 via Frontend Transport; Mon, 6 Apr 2026 09:11:54 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF0002256E.mail.protection.outlook.com (10.167.249.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:11:54 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:40 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:40 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:36 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:15 +0300 Subject: [PATCH rdma-next v2 04/11] RDMA/core: Fix use after free in ib_query_qp() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-4-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=4118; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=2El8cr+cyAa9RBhRtC46e0TzQiWJ1QGucPstWX5Wtd4=; b=nh/CKHxzB4+n2klnWlzzA3oGBwqN4BhUh3JWwFcy6qc/q18tkfYS9UKDFr83M/Lew5SIoMl6f cKFfgTJo86VCrWMJjr+ZGiTG/9nxjq0gIH8XYDbzeIWKAYBr8oviNHk X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0002256E:EE_|DS2PR12MB9638:EE_ X-MS-Office365-Filtering-Correlation-Id: 005121b9-23b2-4263-c6bd-08de93bc8c0c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|36860700016|921020|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: SKsWUwcg84Ru70EI2RT08WfsCe/UxVaYBR1iF5ijCeYOPY16smsmOMd5oEgBgT56HOFc5My9TsTfnzR6UMVPqPGcG4lIEmTFaF4LciS5YU4p1y3jyJO6KXAPvqBwSBu43u3hiQvtKTEIAMXoTjRNSDahGULWCTfz1z8uecaU0E6cFAnQsPuHjSsGWi5NxeoJqlc/0jcSlU0WeKg4O3QXr1ZalFADn0hP3ueoltO7RV6hWblv+d4H+r2rzqgeTUNR4u9Ayo+a/3vqR/2RlVPg2C8qebk8EkeqRY+h3fpAaaxsLMpSpUkxeGWYEhjO10Qb5yNAKgJJXcB10jG2GAJ+/bg89KXHCVqy6z60S+gU2GpzWigwGFh33ZQSQjI6LxNP8VZlqz4RJEjqLg9WcFH0784mn4ufkrgsxopJG4aqsEIZXMqoDk+uIWh0mtDt34iK9KvMhw8aYci0F+ig7Fr5mstSYO11eKtN/SY8kkuscWIFsUvkOCadyLdvGX4C47NLU6Tws3m0FQH3XYR2DohlG1Hi/V3By0tJkWXv0XQ8dhd5H5jyCZf2h/7J8ve1DOwwyayXhEXBGvMwVFF48PdW3YhWQod4DBabjF4l+hi+RTGHpu2Mop4AfrrF/appv5sTBOTJrxPl6oNWl4QLKJ5oJ9hRxhDojKoj38IiQcq3LuNRfkYSXwmde7kZogr/l15kp0l2YomyZ5z0cr0Tg1dr0gXuYDzFOrryUWkO+Osk4+PDnNBgUi70T2PT44Zi5ocID/9cSfJLcFHDJN2lTBJSwG15lgbQHwWR/8u4RwVXn/P0fMgzIX83fT7GPbt7rbra X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(36860700016)(921020)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: CgFDPtw5PT2VKVH5h+ivTX3adQLXsRh8nZCzvvNZdShVZ5swlg31qCfTMQfzeJBdbT17yn44iLjp6RM0TtLy96Tu9fc/SwubmV3o0i+qdumipIuliQHldNF+Dfkj9oYjEW5vHb2fgRcKPbmYjC+nsY/oG/LvpX1ojVAMPhc37oUEXGfNUGv9qIuMI/Wr/pj6HGI41IKWaEguRaK/kGQrtXCi4VCw1e3yoTMJGM7KzN84gWc513ehEHKcn86mdkB4nakM2xjHBlWFgTiAr65m9I9kCvol0SSBY9wMOGoPr/3vwclEoFQsZACuPASwXWXCSFBd10PssZzWFkTyRGG7O0tRqYZdnJlclMpwHkrY9+dYCX7IbmVtz3yNi6prA2FFMQaRGPUD9UjPoqAqAHBH14u0X/eoTUSPPNsQ8V7qe2lYoVRJ27cVIqV7SHdwscs6 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:54.4160 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 005121b9-23b2-4263-c6bd-08de93bc8c0c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0002256E.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS2PR12MB9638 From: Patrisious Haddad When querying a QP via the netlink flow the only synchronization mechanism for the said QP is rdma_restrack_get(), meanwhile during the QP destroy path rdma_restrack_del() is called at the end of the ib_destroy_qp_user() function which is too late, since by then the vendor-specific resources for said QP would already be destroyed, and until the rdma_restrack_del() is called this QP can still be accessed, which could cause the use after free below. Fix this by moving the rdma_restrack_del() to the start of the ib_destroy_qp_user(), which in turn waits for all usages of the QP to be done, then removes it from the database to prevent access to it while it is being destroyed. RIP: 0010:ib_query_qp+0x15/0x50 [ib_core] Code: 48 83 05 5d 8e b9 ff 01 eb b5 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f = 44 00 00 48 c7 46 40 00 00 00 00 48 c7 46 78 00 00 00 00 <48> 8b 07 48 8b 8= 0 88 01 00 00 48 85 c0 74 1a 48 83 05 54 91 b9 ff RSP: 0018:ff11000108a8f2f0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ff11000108a8f370 RCX: ff11000108a8f370 RDX: 0000000000000000 RSI: ff11000108a8f3d8 RDI: 0000000000000000 RBP: ff1100010de5a000 R08: 0000000000000e80 R09: 0000000000000004 R10: ff110001057a604c R11: 0000000000000000 R12: ff11000108a8f370 R13: ff110001090e8000 R14: 0000000000000000 R15: ff110001057a602c FS: 00007f2ffd8db6c0(0000) GS:ff110008dc90b000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010b9a7004 CR4: 0000000000373eb0 Call Trace: mlx5_ib_gsi_query_qp+0x21/0x50 [mlx5_ib] mlx5_ib_query_qp+0x689/0x9d0 [mlx5_ib] ib_query_qp+0x35/0x50 [ib_core] fill_res_qp_entry_query.isra.0+0x47/0x280 [ib_core] ? __wake_up+0x40/0x50 ? netlink_broadcast_filtered+0x15a/0x550 ? kobject_uevent_env+0x562/0x710 ? ep_poll_callback+0x242/0x270 ? __nla_put+0xc/0x20 ? nla_put+0x28/0x40 ? nla_put_string+0x2e/0x40 [ib_core] fill_res_qp_entry+0x138/0x190 [ib_core] res_get_common_dumpit+0x4a5/0x800 [ib_core] ? fill_res_qp_entry_query.isra.0+0x280/0x280 [ib_core] nldev_res_get_qp_dumpit+0x1e/0x30 [ib_core] netlink_dump+0x16f/0x450 __netlink_dump_start+0x1ce/0x2e0 rdma_nl_rcv_msg+0x1d3/0x330 [ib_core] ? nldev_res_get_qp_raw_dumpit+0x30/0x30 [ib_core] rdma_nl_rcv_skb.constprop.0.isra.0+0x108/0x180 [ib_core] rdma_nl_rcv+0x12/0x20 [ib_core] netlink_unicast+0x255/0x380 ? __alloc_skb+0xfa/0x1e0 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x230 ? copy_msghdr_from_user+0xea/0x170 ___sys_sendmsg+0x7c/0xb0 ? __futex_wait+0x95/0xf0 ? __futex_wake_mark+0x40/0x40 ? futex_wait+0x67/0x100 ? futex_wake+0xac/0x1b0 __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xb90 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: 514aee660df4 ("RDMA: Globally allocate and release QP memory") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index bac87de9cc6735c5d25420a7fac8facdd77d5f09..f1438d5802a3e97e22cdb607cf9= 0a097d041a162 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2157,6 +2157,8 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (qp->real_qp !=3D qp) return __ib_destroy_shared_qp(qp); =20 + rdma_restrack_del(&qp->res); + sec =3D qp->qp_sec; if (sec) ib_destroy_qp_security_begin(sec); @@ -2169,6 +2171,8 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (ret) { if (sec) ib_destroy_qp_security_abort(sec); + rdma_restrack_new(&qp->res, RDMA_RESTRACK_QP); + rdma_restrack_add(&qp->res); return ret; } =20 @@ -2181,7 +2185,6 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (sec) ib_destroy_qp_security_end(sec); =20 - rdma_restrack_del(&qp->res); kfree(qp); return ret; } --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from CY3PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11013022.outbound.protection.outlook.com [40.93.201.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A70231D372; Mon, 6 Apr 2026 09:11:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.201.22 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466720; cv=fail; b=YgcmY/dHfaDDdZQCMaQMfoXSLcjC+b94ZBvv3aGM5kICh5lNve8zH/6pP5D+8DX0xg1ER8sFmoQrykwp6f8bM/gvu0SOIALgnAzwumwh043K2qjbse7JjaTnWUCurPcq6aFf7Bqe8E6B50z026l/GAg6SftonekZELOaZCQGydo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466720; c=relaxed/simple; bh=mlYGaSGcypbRrSzsVJd5s6J5OjBBc/13GebHEXUJi2k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=K5HO8JEvtAcev+ZuW6oXw2GVp6B+k8iYt746PC9g4vF1fKr77FwzVhNoem6LS2GzmY+ndSK08QCHRL+JkemPTWrJB0wmzrFg7Esef7WT72QvCzZrbYcfukhdwOckieAfK0cDwmSn3Ksb94RL74FGk7R02Uzbdx6pckY58ceS0dU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=S0D4NuEC; arc=fail smtp.client-ip=40.93.201.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="S0D4NuEC" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BEtSyEqTQN+dfVguRC3XUriRJPZ/q3JgWpZlpiked6cv2r/kTeKcWFrnMOA327rXegDiMJonm9lW0ErGOGFXMx1YlBd0vrBdOrkXh4oNaWQCSOCM1DLRCtxWIecQU0rFiJMoc6/LXxAHVXJfTFPmvzSQ1ahu4AQDh7Kz5AwrmukPOUKjvlDD1BPpd0aLNIpnT22VflxKC88a1Ouh7CCOQiOSGI6LLlHUcw298NukBfOTvvNumT8gOnOW42NkYxLJnitduQiu2EpT75eD9QosVgvtHF6DHgG0h6GMv1/7PwL/Za58TSCtxx8H90xy/zrtM1WCsbR8dmn/Wz98RmMzow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aU/5ZDly+FSYMwDs7YwvDW1Y5j8zd67Xk+OGoPFhI1A=; b=OgJmjpzWnEIeAru7l6oSn3LwGZk1Ag9pKb5t09QJpy5/sF+QVXMyTtC7vvtO76dxlFYJaryu0jlx/ceWDa8BUdeOPR+V0rHw35IyGG3qcQqB30WKYrBMbUCIylNYnGtVl0lw5TNMSPQs8SAcu0GTslT2uhOuBxnFU+wSu2+ZDAYod4ARektD2VzN7/BUkAGjKp+51E1k/DXRAYAUJ3539Tr8s/IvWZ6/gDhCEM6xWaf8jY77I9u5F39e4t3tpstKNC8IOk6aA5aBPny0Ap2leBlG5KDwqn0X86nCZVtP24s64UQTdnoFl26Tm1lhaTRm54gSZsOo2JHpDIpvsmimdQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aU/5ZDly+FSYMwDs7YwvDW1Y5j8zd67Xk+OGoPFhI1A=; b=S0D4NuEC8YDUhLSfcz5Q2mzSAoyD5PvEB1QeejhndCq5g/Yu+I4Nx/uYQMloK3NeBRMAv4iIsfVEn38KyoL1CN9s4h5+C68a2Cn3D/tojXkCZV3+UULvkveowi6pElhDFTo8s3t5bfbXiGXzV3VVrxx0r1KIL/YtHQZdu6LGMDaBiINrO7XsrlYyJKGqRSrsWYuM2/rrKwnpMGrNOElY2tyZyPg+7+cQi7kq/5lrzXT4wca9KLTlTFa/5bFlG/6Oa5cU+YKA8E53RCKQ7TQsiby9UpH8jiJQm8Nb9d4kD7MsyBQxNQAZ/ijxQb/lndfqeacaQLkvAmDwNjm/+pUa5g== Received: from BL0PR01CA0029.prod.exchangelabs.com (2603:10b6:208:71::42) by IA1PR12MB7712.namprd12.prod.outlook.com (2603:10b6:208:420::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.20; Mon, 6 Apr 2026 09:11:56 +0000 Received: from BL6PEPF00022575.namprd02.prod.outlook.com (2603:10b6:208:71:cafe::ab) by BL0PR01CA0029.outlook.office365.com (2603:10b6:208:71::42) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:11:56 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF00022575.mail.protection.outlook.com (10.167.249.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:11:56 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:45 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:45 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:40 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:16 +0300 Subject: [PATCH rdma-next v2 05/11] RDMA/core: Fix potential use after free in ib_destroy_cq_user() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-5-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=2124; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=W/2WlJLn689ImNNVXH7wlhyztcjmNw/q/99rPLeorOI=; b=65ZOx4WWP6Wq/6aOp880KDfUBpzx3dnDCziPEd6rhGE5X6ax7S/HYVoyYy++n5SCXN5bfXeys U9UaSK/8qzXCK0N34dNq6jCUGX6E1lO8N/ju079pRj6batom7ia6Hz7 X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00022575:EE_|IA1PR12MB7712:EE_ X-MS-Office365-Filtering-Correlation-Id: 4d016fc0-5a4d-424c-34d3-08de93bc8d30 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|376014|36860700016|921020|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: DDb9ikj8+lyB0DbsuQiNdZk5At6dkEPoMZVZujRU0Eo0WMQrw+a1biVW5jewbkdgyxdP8b+UD4oorbEqCS7xV5D13EyzS1y6UwV/joaRxTiDI8PaIopYncJZ//OLp1eca+wYJaB/KjFCjL2wnacpjffgQ3qFBRyGSQcYo8aY8CQJy+p6pZ2WWlDiCvwYlEV9urIrgTiOGpvOcOkBqAcKdgSul1mPBiWbCe9ebGCmyleQk317tWEuEVX4463imkNRjT6vrsOquLbqhXvBUPT5jSPEGgY9tnF8deNsRvaOQCLvo0GMvSRNQUymlWSUUycXqPBsty+j/K+HC1WTwAelonZbJIMcLAwo4ngr57hhbbS7iS8ilMjJFDW5VUu/5bOdM43XfcK4Uyl5/AM6witiJ4c90KZvquUKw8x9FIN6i/i+GQaXb0rGDlql4mSqbI/u41dEfm8O+FJqA4dANpG2dyFiUrJdKSRuTNb5sjKWql3nfpJRZFL8B+NNU6Fie3pzFRERxWcfhUHZgQJuZZw8h6XhJtwm5UXLriHMZ7Y2Gz2gDDkS7g+ISE9lNwjIxJQOOfQBzqZu8/SPY2g76MT0+hQn1et65Cp5Wo+2hxp1v4lRbYKeluwhyDebyJeuctzaQAw0exu0HSK/XZGT2SZxpN6IhUbffsP50WxUnkRoQSgPAtSx17tXfOMnRJTOl0MtYtpTolSlnx4IMgIXxWAZXzJzA+bba+9et+f9VpIqCYsHM8WGxR5nOyQV3C433vTqDgimIcTr37fzgEix8eWOx3/8JXnGcHviIydVky5NSlRNEWFsj1uR+bpr9otCH8u8 X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(376014)(36860700016)(921020)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bDpXSsEYWQjWlW68YXdvG/MxJYlOjZk/cyZWnW4n6iIqmCpv/L0VAGaiRx7JMmC3TT4LjV/S6mMIdw5XjK3XDGv3Gbj5JDehqqCX2dtLN7qf56TThUPgZGaCl6f+U8lFUOBwKTr1yR9vJTpViRqwb4+a6g86LGzb7Fy7fbnlHqov7eSZ2webpNJ/4Mq9Bob6pYJb6HewfaJHVvZXrxIFu1DjRqmsRFT51rsd0+DuW1vvzga18mdQfsSnLHbDN5a+Qfv2qwr26jqsyiMVjtUBh6ILCHfkspK2ZqCktzE7n29pzXcUGIf3SHBdJ/KBulmKYVIygTupYC6pjkRpNr3ig+3M+601rr3MI2Gu6MmApxUsnFCcGnlSu/KKjAq1w+/pDYyCc5Q6KNEBGDSduwXGjyIS17P5i9mcNEeabK7qNJJBn5C5Zhq7r1u6fqnZEMzP X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:56.3268 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4d016fc0-5a4d-424c-34d3-08de93bc8d30 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00022575.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB7712 From: Patrisious Haddad When accessing a CQ via the netlink path the only synchronization mechanism for the said CQ is rdma_restrack_get(). Currently, rdma_restrack_del() is invoked at the end of ib_destroy_cq_user(), which is too late, since by that point vendor-specific resources associated with the CQ might already be freed. This can leave a short window where the CQ remains accessible through restrack, leading to a potential use-after-free. Fix this by moving the rdma_restrack_del() call to the start of ib_destroy_cq_user(), ensuring that the CQ is removed from restrack before its internal resources are released. This guarantees that no new users hold references to a CQ that is in the process of destruction. In addition, this change preserves the intended asymmetric behavior between create and destroy routines: resources are added to the restrack at the end of successful creation, and hence shall be removed from the restrack first thing during the destruction flow, which keeps the lifecycle management consistent and predictable. Fixes: 08f294a1524b ("RDMA/core: Add resource tracking for create and destr= oy CQs") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index f1438d5802a3e97e22cdb607cf90a097d041a162..0e8f99807c7c0ce063ed0c1561f= 4ba42b485b69d 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2256,12 +2256,16 @@ int ib_destroy_cq_user(struct ib_cq *cq, struct ib_= udata *udata) if (atomic_read(&cq->usecnt)) return -EBUSY; =20 + rdma_restrack_del(&cq->res); + ret =3D cq->device->ops.destroy_cq(cq, udata); - if (ret) + if (ret) { + rdma_restrack_new(&cq->res, RDMA_RESTRACK_CQ); + rdma_restrack_add(&cq->res); return ret; + } =20 ib_umem_release(cq->umem); - rdma_restrack_del(&cq->res); kfree(cq); return ret; } --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from PH8PR06CU001.outbound.protection.outlook.com (mail-westus3azon11012063.outbound.protection.outlook.com [40.107.209.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA3AC327C13; Mon, 6 Apr 2026 09:12:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.209.63 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466726; cv=fail; b=hq7ip9Tn7lOgxGMmELbvYcrIXneNJ4LXryQHLlbXMxpOv8CB93cQIMWH1lzSU9zki9sFP6I0bWxXiQJuIerSqfhhTWP/ZbE09iWmBip0o4e2BO3MnnT/rz1d3cZw/Sx6BrDybboFmX173QhKv65hCMU30MVBolfr2fpelAtmtDg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466726; c=relaxed/simple; bh=07Ei7A7KKyx/vqJR7s+8ixUlAzuruB+Ehpyaj86Sa98=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=GNUaEdBqbqZ0gz5/8zJbDOp7RaMq61dLhZaqDZIe79V8ghNd8ToXvh6g3ghjzeCkU0wLOW8KUPG1Jy/G0Xd/7aKaeo/dH8TI/mLj+hyvKLe3nNd/zOFBFC7bjII6JF6oZX8amgCJleaHqywMRpcpKGX1mxbCsqhBDSB/DsF/W7w= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=jIBtwkU8; arc=fail smtp.client-ip=40.107.209.63 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="jIBtwkU8" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=II5j50+XfyYOTe7a0TyP/OVZmJuze+AyTlijb9sUuC7LgpLNk0FcfS5oOGGRDJfHwBkSjGxjvFfsVLE4+9dyVKuzkstguF86OkQB3eN0JlqVmmf5DIKG5ITt+JdAX818YNMCJdyLqGjDGiXIMH+d4L9XNlE2rrtTPcZnUPVt1i3eQ2ycvW70ehdSYzXilULwrLNDltTh3OWSlKRTlYFcE+Gia+nYz3IWYUopFTSvs5OdBVRU+A7PPtqao3/ApplRT7dkYtYyHWV/lZ7ZS/Xa7e/seFPgQLlzYc/kb4e7L/w+zc9jeQZ25xHetfQG532reQfpjCKScAni036W+POwmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EtLo7npB8ML4O/w113KywGQ7UkDxwFA/f1k6Bqj39vs=; b=W7mMgKkjnkznDoxGFmp8S1rIh04aIZ1hB9MnJqnpWatefwcCTCFEgl7Ad5Q3ZLcYIuyQI/cuauYjgBtGiCrsJxpfx8s62Vi/yqPY3dWAnmPf3CVb+CJ0jTtaBKCWpgK2RS2YM5qyZYpZAkNtRNCpUK2VebAoBc2J+wo+sVE0VXQDd1M576qIPwohfHT9r5Yp5k0MUNUeWavDIfcD1xpjtp50WhyZpkwfLxe9tGu7sVM91iBm3AtjIT/jVGY0VzayTZzcqKz0dT0jCw95PROODBXlsXsK7gJpZI1VVf+TafrQ14gTypf6f6sqIuYUBAeRcO6lvs0K7rDjp2ZdgsiBog== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EtLo7npB8ML4O/w113KywGQ7UkDxwFA/f1k6Bqj39vs=; b=jIBtwkU8QGo9lxsR+gRYkIum598REh8vkTRPuxfm3CKpOEhJ82XZHaJ+/Y4OqaOnAAseicunZG2FqdRrrUPtHnkJVJZh8BIqVbn0tP7oacHJ2JqpGm8vrlOq9yff6M3rnp51l38isotqIEuzspFm85pKZJlMCh5ibeZhHU7LIzwSp+RnOTe21SalO7wqTCWku2gWz0KwIY6fweA2o4XslSUofl4mvO5BPCQzsqtotBRnPHLI35EQ43Jv0WsuWHO9lBBLo9IZrH+ojp234NT6VBrnGvWRwwlArP3ycEX4DMLmREoX4kDPiSzkKD8J/Nps9RCNOU9EVlFKqMyjzdE0cQ== Received: from MN2PR19CA0041.namprd19.prod.outlook.com (2603:10b6:208:19b::18) by BN7PPFDE2ACDA69.namprd12.prod.outlook.com (2603:10b6:40f:fc02::6e6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.16; Mon, 6 Apr 2026 09:11:59 +0000 Received: from BL6PEPF0002256E.namprd02.prod.outlook.com (2603:10b6:208:19b:cafe::6e) by MN2PR19CA0041.outlook.office365.com (2603:10b6:208:19b::18) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.31 via Frontend Transport; Mon, 6 Apr 2026 09:11:55 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF0002256E.mail.protection.outlook.com (10.167.249.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:11:58 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:50 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:49 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:45 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:17 +0300 Subject: [PATCH rdma-next v2 06/11] RDMA/core: Fix potential use after free in ib_destroy_srq_user() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-6-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=2320; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=+VtBN5/ICOt22ljghD3KcEb67UyEfMhhKiqtiu5cMQY=; b=aMrEbfcYVCcYW9/glyrLincUHBSWujkcDO6+9ISMiiLxDIRoVOwxC4+NABNvzYqGZvzVflQCC dY4Fyk8ogFODsQcyMsXk2xV6Lzgv/IJxP7ma98yFhl0DNdUQU0YVZJS X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0002256E:EE_|BN7PPFDE2ACDA69:EE_ X-MS-Office365-Filtering-Correlation-Id: 7d162912-f2fb-467d-1d86-08de93bc8eb9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|376014|1800799024|82310400026|921020|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: 1TKs666fr+EjS8IibTVcYqZm5xo5MAqTgK/IRUzfZSDArMcnHurFgH472bk3BZPnTkU0hkLPOv5UVq1zr3q2/1xicvVHLKkgU2osddxumAgtRzXl/GK2hQCzm+PLLvR9D/6/NIee7oBIQy6jg6VKbRrZmqvtzDzKPORqBAZUZjmOP3NxOY+DqnxYFJBuvbZIDHmqHRaeE/OnorBhZoU+h6bHhXUUoldq9MJ2UujU8vNy3TB6wdxUfLlAxiPbnmgT4bEmI7I2uLNkFIk1qm5g9EdDViuUXUYYpnHR1Z6e8Hku1DExaAvjMX0y0lSi84d7UImLO8vIJGXZqUXf6dOsO1Vn2LIeTzQ7+SP90oNgt5vuqSVOq5LGr5L1MSv94nc0kct6CfGNamVOQzrQko8fqNnVLMB3HvYO3N/cLN8Ub11LtERvCLSNAji1FO3mgvlIfquCSNzCCHDLn6kjU9pKTlRNFlAu5AjoJvPz1/MXUWy98cRir6luQS1UHfAd9+0Dbh1yOASs22o8s83TEQEsnJm8P1k6vcsfqXVqoxEc+hVb9nFHFNeOp4wsX4EwgguO8yrd3Br4sVH4GPnGgEoLot1iFtL/Zc37+dxicKVxixIk2NJf9KfBrY1jxZroHB2/qa5cOGoUQU95IaV1HMEjomM876KOc6kOjhI588J1nms6Zo7HDFdcmnOY7ZSEWXjYl2boY0K5448t+uD3Ju1+QYDrbLPUqvR9onjVRpRRTh/alfxD3nJci0CXj59OkvawVq0m0cle1bC/OWKX0aCSegiwBVeTJTBEo557+bpbT5TqW//MotTwK6zUDxLqQOzK X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(36860700016)(376014)(1800799024)(82310400026)(921020)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: W/zk/1ouAyyHZyXzFwRD9U7h4NSTFkp6+tn46xX2sO9xIpHDeWSrzIN/6uXyl/7j0BnFlbxtrFiZBl6ZoPdyLNtuxK/46l9G1n2Q5EzfW1HWjk/awvfX8/K9N3S3pfvOr7ooGal18HyWpRId+1alWZ+QOt9By7dz6EWLBvxQ0IHxatbByhHhc1O0ymMCSR4FYPCXWFA9f9IHvJOLpawxYbqv76hcN8nktYfmVS5ynUTsgHTQJ9DnZLEOo8Gh3kzda95bYxKA6j1WhTSLECyeGZPv7CkfA9Bl4tHA3cEuvUBOtPzvRX3pqDHMFssJh2SEHl6OoXsJE/sUNkxThfy6BiV/ci2psYCFJrKBzkk/b3XncBrvoFFR4x0zebvaeYe6EnszJ9JqjX/Yj002pQsKIDDjaZ8HGkpGnsf1FZyaqXwMEbkfUX9Xxga93Lv2POP4 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:11:58.9058 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7d162912-f2fb-467d-1d86-08de93bc8eb9 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0002256E.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PPFDE2ACDA69 From: Patrisious Haddad When accessing a SRQ via the netlink path the only synchronization mechanism for the said SRQ is rdma_restrack_get(). Currently, rdma_restrack_del() is invoked at the end of ib_destroy_srq_user(), which is too late, since by that point vendor-specific resources associated with the SRQ might already be freed. This can leave a short window where the SRQ remains accessible through restrack, leading to a potential use-after-free. Fix this by moving the rdma_restrack_del() call to the start of ib_destroy_srq_user(), ensuring that the SRQ is removed from restrack before its internal resources are released. This guarantees that no new users hold references to a SRQ that is in the process of destruction. In addition, this change preserves the intended asymmetric behavior between create and destroy routines: resources are added to restrack at the end of successful creation, and hence shall be removed from the restrack first thing during the destruction flow, which keeps the lifecycle management consistent and predictable. Fixes: 48f8a70e899f ("RDMA/restrack: Add support to get resource tracking f= or SRQ") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index 0e8f99807c7c0ce063ed0c1561f4ba42b485b69d..5921c6d008bb10bcce5f3b9bcc9= 9de72193941db 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -1139,16 +1139,20 @@ int ib_destroy_srq_user(struct ib_srq *srq, struct = ib_udata *udata) if (atomic_read(&srq->usecnt)) return -EBUSY; =20 + rdma_restrack_del(&srq->res); + ret =3D srq->device->ops.destroy_srq(srq, udata); - if (ret) + if (ret) { + rdma_restrack_new(&srq->res, RDMA_RESTRACK_SRQ); + rdma_restrack_add(&srq->res); return ret; + } =20 atomic_dec(&srq->pd->usecnt); if (srq->srq_type =3D=3D IB_SRQT_XRC && srq->ext.xrc.xrcd) atomic_dec(&srq->ext.xrc.xrcd->usecnt); if (ib_srq_has_cq(srq->srq_type)) atomic_dec(&srq->ext.cq->usecnt); - rdma_restrack_del(&srq->res); kfree(srq); =20 return ret; --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11010054.outbound.protection.outlook.com [52.101.201.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 037D932720D; Mon, 6 Apr 2026 09:12:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.201.54 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466728; cv=fail; b=gBWaor+f5V9gonOXf745ngWy0NG7TYJphGpusFGcnSCZ8hM7699q14bDbPOcZ0iCODBbX3lIk61WMTm1+Xwl0nD0nRKjWefHXkJ4SnwKI8NfLRKBKsCRmGsWB/E0ziyIa9B6pA3B+t9ceJMHLDOICfOQbQ+0oKZSGphS8zX/vKk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466728; c=relaxed/simple; bh=jG4K3gWAL+oCtETuW+eR6WjLnBjgrjVn5MCcyIZ2jJY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=rMrJFHARoSOQE/S7LCxOOJE252sq/iw7N1MN+3oYXjSQilGdQIpuUU1XCpykWoi95fX3WLKjd5SQCdxo7CHzB+eTJqPiiFN8G/rdxjCR9SSUAUXEmpq7lzLKiI3Tun7ED2QqFuOmHI2YwZ/Gw6JAa1L8J+/xQP3bLdiUDChzT9I= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=Gt7C1TVj; arc=fail smtp.client-ip=52.101.201.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="Gt7C1TVj" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PiSKgaNP/WYMrg8NDbQSJNEIrbCgrJ1TNp4Bl+yMQtaJLwMPbkTYKc9FKqu1MvtM8eemRHldhesRg4TVuhIuDeYQ5Zy52LsBO1A133X6orLSSPLyfgLbiNeYdtKVHHrmW+cUVcqXkGGQZH76sYey25alD/SRkKG/BRUYgtGXivLsBo6AP6Bw5fzABzzu/wWsHUnLAevHj3ENW+kSgUKyHoNYS5P/EFIF2hPAPxan6qOrkc+jve2oWKnOloBWWjU3DN0GCOYXUjPgWAVqIFb6du6MxlHjZVX2KVnQS7SOtfTBlQobb9DZE5iMOvZ+iP46fOXQAco3uAKs+q/aB7f0WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W+AoaXP3WdW5VKzHFnzRo7fdCCcgWzp6Tzt4YTymfF0=; b=QtDgWInjgBEXCFkFfs2eYV8r78sWBvbcJzeiCs1LzAWuvCEEkN5iI/r6H9GMYfjcMrxIFwZ/bBntcgi7Y15QrvlBn9o7mOBCT60afX5iSSaYmF7D4ApnxW9fb0v7ZmA3Lg8wV6fC+Atiapjr9nv/AzFuaZL0tD52UX2B7/IACFHiBzWkHinGqsVnssqZv/AuApyK4wIX00Jbqfai7oN0EEufyV1x9vBw0LQ2Ssc/FrZtXhsyrN0LnG91Td1lkEK6n08b0VbQog8Dl+RcBa98+36hZHkBnW81uNaHmnFCIIp/ST/weGsew348hKU/3GnSSwNfPyGkrhAy8AlQQrwoKQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W+AoaXP3WdW5VKzHFnzRo7fdCCcgWzp6Tzt4YTymfF0=; b=Gt7C1TVj0uubkNc52WTT3TIy49vz/7I0XwYC0AaRrI9UURTmhCebOKIN7au9nD9eWtRc4+4f4qP45lmHeDETl33I2fZcKLajKUcEz+aXS4SnGNUqvIO2HXLWq2EDeBSrVsJeyi1Xf5bLkluRhkJOFHnFNYi6oW+56FTOI2BCoub23Ba4cWJoEj9kAB9UeXJ4V2aOziv74O3sBaUpLvfIW+oH/5+YYWqGzOR9m9FIzT0+PO7YMhJvSzOjICjJ1ly66l8RM3CeP5h7sM1y9mvZqJBvQVdk6j7OXdXzpR0s+hWO+aap+hNKEoAyM7lEytF6XyaBGWYhbuP7nEKsLceCYA== Received: from MN2PR19CA0052.namprd19.prod.outlook.com (2603:10b6:208:19b::29) by DS7PR12MB8322.namprd12.prod.outlook.com (2603:10b6:8:ed::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.20; Mon, 6 Apr 2026 09:12:02 +0000 Received: from BL6PEPF0002256E.namprd02.prod.outlook.com (2603:10b6:208:19b:cafe::dc) by MN2PR19CA0052.outlook.office365.com (2603:10b6:208:19b::29) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.31 via Frontend Transport; Mon, 6 Apr 2026 09:12:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF0002256E.mail.protection.outlook.com (10.167.249.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:12:02 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:54 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:54 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:50 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:18 +0300 Subject: [PATCH rdma-next v2 07/11] RDMA/mlx5: Fix UAF in SRQ destroy due to race with create Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-7-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=3918; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=jG4K3gWAL+oCtETuW+eR6WjLnBjgrjVn5MCcyIZ2jJY=; b=M0PfixREI0nfmwwOq98EyF1A6J8jUcH8xKS7I0ti8rbcJNbjiadMUSqGtl5vavk2oxCxQ2bYR PZyrQto8sU7C7tXrBbQH07CaVTg4B4YnqkwUwez2LFVINugUs4Rqrk3 X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0002256E:EE_|DS7PR12MB8322:EE_ X-MS-Office365-Filtering-Correlation-Id: a249e83c-65d9-483b-bdd2-08de93bc90cf X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|376014|82310400026|1800799024|921020|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: /qqTXhn/bpbOEXXBCc+IwtGkoeXaDk9tDa/k7gigoTzNI5XIxYn0zKfOQ7/E2AF4OJd1hJ2N+0ZUnSox7nYo/GIE9PzOLRMxFWfhtYt6YmZWFIPj4QkvmvrMsv+dQZhDMNRpONmPgPXSILbyc+yB0bmBIpJYR4OfdcaTMgpM536kicYbuSjePtsH3QcucSlT4r+14C/tv4YblWZdrD64JYWh1WbEyMc0si7DMwCRqzNOQYG8XDvJglnAR2izpFL9Ed+oZy1H1CI3Vmquh/7Z43ASG34HFm+iXUHsRPYS4jGNt6ovTevzuZlgg/ykRl8DeZjE4u6RqqV9XZ7h0EKdr1edUGhwbsgsVp5iwiSaZGmavTfHaVUQb30QXH9uKAMPfToD86EO3X/V67/cNK60NFUW2eoUgqeIUR+UxG9yD405+qHRxUmFnWW73Vk7j+azkCQfxH1tDoV2T4wuVtCRfkUMq0/fakgZrNT33rZvp30qKb3NRUhuTpGuUJ9Yb1344p5d2cNDgMlpCoo0Yte5ipbbFhtvQKNUna/KJOX2GSTAWPnjwKWozp5K7kQnRzHgp84L40gIS4041LkDIWgtjQq8pYPZbgJ4xupurojM611v9qw+y8QUZlmCS5rasjeWmE52NGNbXix6WGZLZjMVqY37OxYM4aerMLEOfjtkPrHVEBd6z6RFl50HGynVxMX8GN1Ls/hp6r2Xx32wLUVqS98sOo6RGusiNI3k1PzQbRdZ2W3/ZGVgcaCms844PIQCp2Jwmx7TGAanjA/mHQ4XW0IZgrjxbcVmrfGLm6DnhiC/YmJOhb/F41qleXRhCW48 X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(36860700016)(376014)(82310400026)(1800799024)(921020)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iQmnT56KHXmlvVLggn/iTI8hfnCwOoIV+8PKOD4PbxL7vXN0OkoxLjkkjhNi7CXmzkXvmSpSY0LC8lxE6s6YB9EUouu2fnEN5u+B6Iq36WtuhfH/zrYU6Jn8EsFlBWk1Bztf60ByUKL79Nx2SlooZMfEXXjIjKw51E3hyNOuv/IaBuFqS27Dizfi1Q9DKckmhyWJXHTjoVBY5UdTUXoIQzo3dlAXUhm3/I8ivGZgDLDU4waiQ+NPzpVzOw+nRpdzM8Tncu0VyABKCyD3slEjaMW3KidB7YgEPqO8LB9zrgL2AhnS3zPrXwoHH1OdJnwpmg1fvdK3OOeV+ubK9Sv9JqrxKmopMgdLxkn6sfckqq3bNkCSifQo//1U4//Xj2/g0f1aJvstI5lQyiptvi5yl3iyZdZO28uzGZtrJQlJ4jfWDORT+tUW1w8do+9gD9AO X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:12:02.3958 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a249e83c-65d9-483b-bdd2-08de93bc90cf X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0002256E.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB8322 A race condition exists between mlx5_cmd_destroy_srq() and mlx5_cmd_create_srq() that can lead to a use-after-free (UAF) [1]. After destroy_srq_split() releases the SRQ to firmware, the SRQN can be immediately reallocated for a new SRQ being created concurrently. If the create path stores the new SRQ in the xarray before the destroy path erases it, the destroy will incorrectly delete the new SRQ's entry. Later accesses then hit freed memory. Fix by replacing the unconditional xa_erase_irq() with xa_cmpxchg_irq() that only erases the entry if it hasn't already been replaced (still contains XA_ZERO_ENTRY), preserving any newly created SRQ. [1] RIP: 0010:mlx5_cmd_destroy_srq+0xd8/0x110 [mlx5_ib] Code: 89 e1 ba 06 04 00 00 4c 89 f6 48 89 ef e8 80 19 70 e1 c6 83 a0 0f 00 = 00 00 fb 5b 44 89 e8 5d 41 5c 41 5d 41 5e c3 cc cc cc cc <0f> 0b 48 89 c2 8= 3 e2 03 48 83 fa 02 75 08 48 3d 05 c0 ff ff 77 08 RSP: 0018:ff110001037b7d08 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ff1100010bb9c000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff110001037b7c90 RBP: ff1100010bb9cfa0 R08: 0000000000000000 R09: 0000000000000000 R10: ff110001037b7da0 R11: ff11000104f29580 R12: ff1100010e2ac090 R13: 000000000000000d R14: 0000000000000001 R15: ff11000105336300 FS: 00007fa24787c740(0000) GS:ff1100046eb8d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa247984e90 CR3: 0000000109d59005 CR4: 0000000000373eb0 Call Trace: mlx5_ib_destroy_srq+0x25/0xa0 [mlx5_ib] ib_destroy_srq_user+0x21/0x90 [ib_core] uverbs_free_srq+0x1b/0x50 [ib_uverbs] destroy_hw_idr_uobject+0x1e/0x50 [ib_uverbs] uverbs_destroy_uobject+0x35/0x180 [ib_uverbs] __uverbs_cleanup_ufile+0xdd/0x140 [ib_uverbs] uverbs_destroy_ufile_hw+0x38/0xf0 [ib_uverbs] ib_uverbs_close+0x17/0xa0 [ib_uverbs] __fput+0xe0/0x2a0 __x64_sys_close+0x3a/0x80 do_syscall_64+0x55/0xac0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa247984ea4 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 = 0f 1e fa 80 3d a5 51 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff f= f 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffecfa79498 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000200000000080 RCX: 00007fa247984ea4 RDX: 0000000000000040 RSI: 0000200000000200 RDI: 0000000000000003 RBP: 00007ffecfa794e0 R08: 00007ffecfa794e0 R09: 00007ffecfa794e0 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001 R13: 0000000000000000 R14: 0000200000000000 R15: 0000200000000009 ---[ end trace 0000000000000000 ]--- Fixes: fd89099d635e ("RDMA/mlx5: Issue FW command to destroy SRQ on reentry= ") Signed-off-by: Edward Srouji Reviewed-by: Michael Guralnik --- drivers/infiniband/hw/mlx5/srq_cmd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx5/srq_cmd.c b/drivers/infiniband/hw/m= lx5/srq_cmd.c index 8b338539659933aef94a3e2c056e9400c3fb9bb0..c1a088120915c5741f37ed44fd2= e8139bcb6802e 100644 --- a/drivers/infiniband/hw/mlx5/srq_cmd.c +++ b/drivers/infiniband/hw/mlx5/srq_cmd.c @@ -683,7 +683,14 @@ int mlx5_cmd_destroy_srq(struct mlx5_ib_dev *dev, stru= ct mlx5_core_srq *srq) xa_cmpxchg_irq(&table->array, srq->srqn, XA_ZERO_ENTRY, srq, 0); return err; } - xa_erase_irq(&table->array, srq->srqn); + + /* + * A race can occur where a concurrent create gets the same srqn + * (after hardware released it) and overwrites XA_ZERO_ENTRY with + * its new SRQ before we reach here. In that case, we must not erase + * the entry as it now belongs to the new SRQ. + */ + xa_cmpxchg_irq(&table->array, srq->srqn, XA_ZERO_ENTRY, NULL, 0); =20 mlx5_core_res_put(&srq->common); wait_for_completion(&srq->common.free); --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from DM1PR04CU001.outbound.protection.outlook.com (mail-centralusazon11010066.outbound.protection.outlook.com [52.101.61.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43FB631E107; Mon, 6 Apr 2026 09:12:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.61.66 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466734; cv=fail; b=Wx8y7DYwgqU/XZrtLFM48/2Oh7lkLEgns4fKcSAMszOateMy8t1fxNz4xTjqxQ23gIaQBpdAc0ErRbSGOg76WifZotQ3jY33HZzC1IetMZGqaCEc+SnAEIcS4GDNP4KXsq8U3CqlZYRu+vo4V/D4HH6SVe9aMn3KjOj4L6kanvY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466734; c=relaxed/simple; bh=fqOQHBTsMGDyYBanPsNjePtGmdZDn4173XYf0fqm5Jc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=ZyS0urxEUre8JkYPq6CbvWZ6OxYMqCCcpYOH/JnJTUUWW06nSW55i2hyDIj2BcuT5RBuU0rL2DvfdxsDBYpulAsNs7ztaXdfOraqLUFO3jIggyWZLvHvslgacl2P9F0ZD+XUxa4Dh+m/qTBekVu5KDPTz/kBVZ/RvDCNtaeKWzw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=OiS1nvII; arc=fail smtp.client-ip=52.101.61.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="OiS1nvII" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bLVyhghrhh01E4cxK50VT3Rm2VF0pZF4UdUeOLX3AMqVUgl3I2cI1mkeaY/f4FGRu5X7cIoSSVFssyHJJTtOXNFBddCyHGsf+jNxZGXcnmszjebAxlSIo+wp2e0nQyE1drOVrQWOwfAOeufYnHkieH9YKKc16hx+efDoVkEUt2jSV9wvOrnbfFM4SFsGJQLH2FhTudrluTAZoiA/PyoWmBdJGtwZUsgL8uNlYo2XdLbMlTCD0vb8IEOQCxKKXpF3pFMWgokkL4VsNg6pIwHAB8NVZuf5IqQb3NbukRDTnM5RjnpfGhI6svTKgJ5miWDEFjVE0n5QneWUZSQ8kxusog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BdrlkJezMnENZVh5CigvNI2d54O86poiPpOc5lFYrsU=; b=m4+bq9hAKP9/8Ff1aCU2CFAKE3Ua4jY7kCQbGLZh4UZRNqqnlEGw2D/MdI1P8Ox3C0zmH0g0SqXivn4EudFsFqfKUgbKj0BALG0Hf1KJiRMHf8lOjpb4bB6/rpV/nLYsPCG9bbmT/gBcIslbrLeL5T6yzmJR/2jBhNRn4/8pU+KFuh61PMQ9XIV5hIBKW4q4ZpUlcC2zfZnKFdxIu6JIhrOvvogw0cFWP4966mwCi1SIfr6abRUXUrT2wxC098PQAlqc5jZUcpFgMxs72tUOOOVMAe0RGOiZ5dlbPELzJU28y8B8rM5YIURty6DwoNg6/ug8a2srmx41PTnbATxIZw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BdrlkJezMnENZVh5CigvNI2d54O86poiPpOc5lFYrsU=; b=OiS1nvII6OXqKRX3f2iGy9w7pRYRDcbc0KR32ImuTfR3XLTUwMN3kNSenjXcwBnSUvtQDofWRifs9RZ54iG3qHXA6NykwyfMkiEIePLOzW+N+f9EoswQMhdImYgOHHO6ivCxB4XkHcMFezRMw0S7qDC9gXBN82tf0gYAEUZougfSS5jBFPc/Uc+lIqyv0N1O66ML/u3kni01hhhEsN3B2SIX67rb4Dg+mP12C6gJmU2PAiUL1+6TlBVbb/6wvpcCUNpX5sIHO0AR3o+P5GQSkjiyKUdurOWLENxXLetLPbi4HS1gfLF3L6xHGPaNh53ZXf5JmKVfPXA2vmEsO62OqA== Received: from DS7PR03CA0343.namprd03.prod.outlook.com (2603:10b6:8:55::17) by CYXPR12MB9443.namprd12.prod.outlook.com (2603:10b6:930:db::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.19; Mon, 6 Apr 2026 09:12:09 +0000 Received: from CH3PEPF00000015.namprd21.prod.outlook.com (2603:10b6:8:55:cafe::4e) by DS7PR03CA0343.outlook.office365.com (2603:10b6:8:55::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:12:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CH3PEPF00000015.mail.protection.outlook.com (10.167.244.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.0 via Frontend Transport; Mon, 6 Apr 2026 09:12:08 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:59 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:11:58 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:54 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:19 +0300 Subject: [PATCH rdma-next v2 08/11] RDMA/mlx5: Fix UAF in DCT destroy due to race with create Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-8-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=1831; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=fqOQHBTsMGDyYBanPsNjePtGmdZDn4173XYf0fqm5Jc=; b=VIq66KhEH7mO+djbco4fUkApyCakU2iMTXJGbEzYTNqErqtAL49b+OtMtZIiH8N4CeMevWSTt Z8ffs/gVZUUCK5LLs4NvfTYiBUqE2w0TgH8F4ZufNU9qZsPozyfDcKp X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PEPF00000015:EE_|CYXPR12MB9443:EE_ X-MS-Office365-Filtering-Correlation-Id: 677f472d-38d9-41bb-2113-08de93bc948c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700016|376014|921020|22082099003|56012099003|18002099003; X-Microsoft-Antispam-Message-Info: r7CWKro4LXwGz0cN/N8Uhf2byPK0+WE+6bXopvJiEssi15LzKxcABu8q7pdsd+wR7MPWwBnqgdR5BS8Nn9FeuRZBvIFOVjY3BF/oc9QE4PzjgX11rhoj2zcX/k5a1Du+vMJYXMHPzSv3ggy4azpV9OpvpcwHGUYbZO5F4LfFB35+avHcTHmD2r1UpTTggROCR+L2bEXXWclKg+VXvwWrSXamyaJKJKocBMxEAe+KbAl4TrGtJPRQiPsxG5ErrOAYhioMlcRsVlfzifS7eFOi2spMougiFMsYH/NKMIEqAqguxMs0laJ3jZpdvoXqUEWxtLmB6X7oPB8aBSegYOCXBRMKlUFHKUyw9JWoslXqJF3LNyq1acpH1sntiXcmyJ302wOugx37FvzNhtMteYfpLU2ceZhomxHYSuzIG8WEQb1aV1wc8Cjk4HRiDsNSu+fDBip5fbd9U+OGRosg1zn5A8sjJQ7VXp5kVNqcZVEtAhN7z+WRfz7pAYS7SY1M6KIZF1pT6wA8anWPJom6VS6MpJ1CeS36fHRzuWPnYtw05QFQ5BtYsrDQBxpRCDHqI+5mN4C/MzzuAHFgCbX+1vJ/aqyMUlqI6c8KsPNhye5P1j7VHMv4KnpDMzASwNvUVofMD+NMV2pEueRy8ZHUedC8eDUwgL33xpJsHJZQVsRVUpV1eTGtJsHE5apc2/eTOZJpa6KwxPxQVYGVgsXINAA533jQ3zwwXIpDjAcrxR7RHbfW84/cAknK3m2QMH3b2LiAmIWkaAW66jYGqVbMwPRqeS1Y3Dsrqx6o9LnBgCWYTQfCATt3hYXB2LbCaVIqVkMr X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700016)(376014)(921020)(22082099003)(56012099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ii2SGfkYFfrSNG7/81FmBGIUMDjFJX1hvMk7ZabUVhjTnc6xGC/7K2xJQ1advxOvjtbY806XV17tBhXObQGUzW65xmj+JwXWaT6xUTGOf77xSbO9awBjdBlOBlhEze4IhUDevckbJ686nFCWHNzFmenxHljGI6KjePwFmTBHB+CqOmPKHdHK4w2oz3OOqDBI66xM5xmCMieyGnueyUKVoLfIJ1iA4trFSV5+ZYjG9LCyRFFLMwEbaFqLZabwWUAYrZB4w7W1nnywK/O8dqaedQPRs4UyBHQ69ceKurh6Zj833zAspTk4bxJOBmuS2eV5jQbYcMxcbVZ3Sb3ZIZPp6LqUiEpbvfnGLx41b9Qaw5FbZXSiarmH1am1SKo9QJzXSYL+wjlhjCUIH7XzCpxrfrszNZztU3PR/n3zmvvriPnrP9Fs/Us5FIYTQsyYw3vt X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:12:08.7063 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 677f472d-38d9-41bb-2113-08de93bc948c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF00000015.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYXPR12MB9443 A potential race condition exists between mlx5_core_destroy_dct() and mlx5_core_create_dct() that can lead to a use-after-free. After _mlx5_core_destroy_dct() releases the DCT to firmware, the DCTN can be immediately reallocated for a new DCT being created concurrently. If the create path stores the new DCT in the xarray before the destroy path erases it, the destroy will incorrectly delete the new DCT's entry. Later accesses then hit freed memory. Fix by replacing the unconditional xa_erase_irq() with xa_cmpxchg_irq() that only erases the entry if it hasn't already been replaced (still contains XA_ZERO_ENTRY), preserving any newly created DCT. Fixes: afff24899846 ("RDMA/mlx5: Handle DCT QP logic separately from low le= vel QP interface") Signed-off-by: Edward Srouji Reviewed-by: Michael Guralnik --- drivers/infiniband/hw/mlx5/qpc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/= qpc.c index 146d03ae40bd9fd9650530fba77eb7e942d5fe79..a7a4f9420271a228e161aaac1ff= a432d304ce431 100644 --- a/drivers/infiniband/hw/mlx5/qpc.c +++ b/drivers/infiniband/hw/mlx5/qpc.c @@ -314,7 +314,14 @@ int mlx5_core_destroy_dct(struct mlx5_ib_dev *dev, xa_cmpxchg_irq(&table->dct_xa, dct->mqp.qpn, XA_ZERO_ENTRY, dct, 0); return err; } - xa_erase_irq(&table->dct_xa, dct->mqp.qpn); + + /* + * A race can occur where a concurrent create gets the same dctn + * (after hardware released it) and overwrites XA_ZERO_ENTRY with + * its new DCT before we reach here. In that case, we must not erase + * the entry as it now belongs to the new DCT. + */ + xa_cmpxchg_irq(&table->dct_xa, dct->mqp.qpn, XA_ZERO_ENTRY, NULL, 0); return 0; } =20 --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from BL2PR02CU003.outbound.protection.outlook.com (mail-eastusazon11011013.outbound.protection.outlook.com [52.101.52.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F96A31E849; Mon, 6 Apr 2026 09:12:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.52.13 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466741; cv=fail; b=lvuvnEpxm50O4PqrPwpiaIQyanBZKXFo71jKD76RT/7QTWwl//yWZYzYXCyMTzymJMTgyigyvEwk/fZxRw+zOxvmYi9brWB5HLYXSpd5QyE3CGSlXWHT2+BcojwThmZLmvemGPheasCKhH8453izsA7sEKCCq21lRLOZ1WxTM9k= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466741; c=relaxed/simple; bh=Zh2rUBWQpIo2/xyLHnFKLZ6Tven2bo87Z38Ga0768d4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=nGNS6fLoPP6UnWuGUkL86Nsho0LU/1T4UDvZcmzx1qQCaaPclaPNsjAmqHXSi6Y0oZLnoy0NP4LWQLGv7KZtOgOS4ZUtjonRUov0FDYvgbfGqAXUeUcBnZYDn3+RzfmVtXsJBhraWOKoDf3zElAdisj6/1xoLAJOpPGvGtkmCtk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=lGg+O5Qt; arc=fail smtp.client-ip=52.101.52.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="lGg+O5Qt" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=l6kU9l5G/8GdyMNZ+JLX7lRT5hTlvClXO0bHJLx7mbfLoNn59QEIys8fZT6IZ3Rfpcd/vlcj+zegOUZa79mRpjY4C7H/Yr2ZlUWVppUo/SGqyczPmunUTj4SOktnO9YeLGW12wG46MKGt/BTHbV7na6VF/+fhf/teovXyg97N4+WsiOdQxkj/SeynMH+Myc/KhsgvInhejtHM7UPnUicjvI/Mezi0DtK10GZwokQGEC54GVgh8Gk4GC7Ifi7Gky1fo4T5EwC+asNQWIgCzKED0ByJqUXkTezLJ6PZGbcJzTNC0/1WfBYKbt0pPLXW+nQhNOZvadBvMUbkcbXGgFh4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=crNdKivXMu1GoV76KiDQo7qUGaVVFO9lEawP2F8huTU=; b=KyrTXyu2qv7L6xqtCzIlBIShcVgcGbbt46bHd6XQMB3UE0Jzoun/AZUVRSM9RzRnV9aOhDheu5f8Cy4gtSEXZlbj4x1YvlqcKJxWSyDn5+6Oiq3joQHTnzkS6WEi3urEFHDB/PSzSaNLDnqTd3h7I6N1h7mM+oYkkZDB4iyB3AuRBp7YBLZrLi9W30czBWyQ1O7EVjDWPiiqjG/WdmAFZ0wLBUCLSBpYguHrQGLvaS90vG77Q+SgdEiaCa4PmyAm1cfmriX3dOLTKnvKimB7xr2/ih6brKjDwEGDAx00HJSp+E2Ya3bsK43KxW267+8a1gsnjO2w2pTHXnNe9alZ7A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=crNdKivXMu1GoV76KiDQo7qUGaVVFO9lEawP2F8huTU=; b=lGg+O5QtrqgDfEG0m7U+fq63I1VUBDX4hV/yiXxnZRlMewpaXoOb5ZTFg1cUyJpAbMBV4J6c8ino6xJajsoLlLxgVet+NqbF6F4ym/4iBGU5rfnUht71PrMn3eHppzqOfbpD7UbVc1x9h8Mb6VL8fLhoFyM7XTldIoQauvVJNw1552dXsQMFh0XadFH+hOs/QXxJ7upBhRqJ1QTNxiUAJaSe7czvEcGMONPBiPszt55+myAyU9E3H9Ph9bVDuylqRDxu9rwW/LD8tdUNhRsdkIdoqvBcMJM9y6mhOsiqVWaU55voqoFsC8ZLy0/QoJq5YchkBW3uNgazXblIwHDk1w== Received: from DS7PR03CA0355.namprd03.prod.outlook.com (2603:10b6:8:55::30) by IA0PR12MB9047.namprd12.prod.outlook.com (2603:10b6:208:402::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.18; Mon, 6 Apr 2026 09:12:15 +0000 Received: from CH3PEPF00000015.namprd21.prod.outlook.com (2603:10b6:8:55:cafe::dc) by DS7PR03CA0355.outlook.office365.com (2603:10b6:8:55::30) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:12:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CH3PEPF00000015.mail.protection.outlook.com (10.167.244.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.0 via Frontend Transport; Mon, 6 Apr 2026 09:12:15 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:03 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:03 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:11:59 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:20 +0300 Subject: [PATCH rdma-next v2 09/11] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-9-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Maher Sanalla X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=1480; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=Jq8SMqoLS1LE7WfgI2KdbBbflGEjDYrMCeWBfgAspUw=; b=fnoUzIL30l7O6sNiycpI2dmIAaH+++ZMZPRUjV/Y1RU2u1yDAz/82tlb6MW2XXPUHZ0S2nvQW 94oTsphq5U3Cx5BJjj2F785sz1qAT1kH0xaG/OtBnLlp9Y0v1EvecJq X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PEPF00000015:EE_|IA0PR12MB9047:EE_ X-MS-Office365-Filtering-Correlation-Id: b17cabfd-1da1-42ec-e502-08de93bc986b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700016|376014|921020|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: M80XrwVERLYQrlMiVIKVsPjjuU9v5tyFHnziX2vMe8ebzucwaqNKbdyYEVfxJW0MB4Z1zERXHDXGVuCwNp7M1Zg0Gp2CZO13NFLHk0tDltitHFJx/PN5mZS/DSbcOwY0UrAwnFC5rKuUwtZ/Ji8mALbkXMqilc7fgr7S6Kp9zXvY1Y+yl8K+nteEH6BSymyw44a0ioqTQZtoXBjQ7ISP17Va9VZ0fOjTG/D02Xlhpa3DLAtuXCwuFi9HA0t71zzoefXZGitv3DDB643xpYtS/qi1CNDYop7TdrrgRf5WOazkNEVuImEPxWKK0UNCsWswb1r+UQdTMlEsEVghogOPNrQrbFwhP9Eiop6peD3XNN+buI88/arEL48oySuaEFFkmlMAf8+LfKj3j8aB4JxRzKAadfd89W0roIs+i18vlVYxQB/LvGrBjO0o+HuplzzPTZ6O38T5LwUhnGMRsJkH/kflt1d34JZGti/vZ3RTf9HdLdBUjKX8FJkV2JgRYOEYV+Zkx8eY9YC/crTAG0gImZVdoXIZTtWlKdB/IDnozrUIPVKk+IS1t/meyc+RAiAjsRHI0jNRhfvZBqnP0kYuB/3FTbAEIryF7BcFyMc3mBcnG3LZDLeBZewFcL/M9HIT9fy5UTNkTIY5tZ3MCg7/zy137hdNizOB1l4Vrx2V6WwNJ/APyU68TTZ9WriLMMUkgeHzmD/SSHffACXPj7K816aDe48Dw+GdxToC5p48S9aJPhY8NtpU9OWC+sxpLOhwL2xY+snSMQdWkR5BQ9ZKSZJqh0YRMT+EvSFq5EahsD0+JQqlzBunu/sNFaYg5G4b X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700016)(376014)(921020)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bxGoYT6+VnHHCjx5z+CVj7YaJfB4t/lyiZHA58B5k2onFokwDkwCoVEQ85rCqccjtpZvM/jLSpocAS5AwjkcMYcDg+HjNaIevN3tWZvUdCIGuRbZA6HDGfDsvV0bAG14kMbrXPkUU6/ivs/ZWNIxqn+v7CZoDyopWpMzhKaJuQOgaz1RiC4hLwb0RKuLtJuppn/W5YeO3KSJW8o25j+sOJvco5/wXTduJq5CuGLi89gUe/Ot5bATIOOMTBVz7IV8qC4zGmVj9ZRXfvg3GURf/NLofZsyMMaDXZMZECH23yAuaXLeCUlEmh+0RsImVCyarQvTS6sl8jn+ACVIw1fBtx29mfoensAraJDJbOhqYMjbylBoMFjbwvtAikO27M724AB6W8iAWS3jQ5MfEwfeHKYdZD1PP7pXd4+1HKhFI5TePmOdb+SSDPrU3wFRI+de X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:12:15.2114 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b17cabfd-1da1-42ec-e502-08de93bc986b X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF00000015.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR12MB9047 From: Maher Sanalla When resolving an RDMA-CM IPv6 address, ib_nl_ip_send_msg() sends a netlink request to the userspace daemon to perform IP-to-GID resolution in certain cases. The function allocates the netlink message buffer using nla_total_size(sizeof(size)), which passes 8 bytes (the size of size_t) instead of 16 bytes (the size of an IPv6 address). This results in an 8-byte under-allocation. This is currently masked by nlmsg_new() over-allocation of the skb in its internal logic. However, the code remains incorrect. Fix the issue by supplying the proper IPv6 address length to nla_total_size(). Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") Signed-off-by: Maher Sanalla Reviewed-by: Patrisious Haddad Signed-off-by: Edward Srouji --- drivers/infiniband/core/addr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index 866746695712aeae425100eefb231e44d52d52d4..01c8e8806eebe511b405d17604c= ca28e3ed92571 100644 --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -150,7 +150,7 @@ static int ib_nl_ip_send_msg(struct rdma_dev_addr *dev_= addr, attrtype =3D RDMA_NLA_F_MANDATORY | LS_NLA_TYPE_IPV6; } =20 - len =3D nla_total_size(sizeof(size)); + len =3D nla_total_size(size); len +=3D NLMSG_ALIGN(sizeof(*header)); =20 skb =3D nlmsg_new(len, GFP_KERNEL); --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11012021.outbound.protection.outlook.com [52.101.43.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF9A63264D0; Mon, 6 Apr 2026 09:12:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.43.21 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466745; cv=fail; b=Jfqa7s6cu2fq/0Hm3Rgtd1RO6aczHG9NxmDmz9jaGKIlDW12axccAeuo3vpUl6BMVy7025eykIksgVEz6lmMD64WSYFLXf3tZ2kxxILgV1XRQnbjsZp7ZlSZ/4QSBeMoPqe3dkYFDa54jUJdC4L9TgfYt5yZZkM4AiUyXQJux4A= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466745; c=relaxed/simple; bh=HpzpnaKGcCcSb+984F7Z60MPP9ReCcmxBfKAt0ez2yw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=eU7zPebdS59X82yQ9hukQJzFSh7WfmsLRhxZmqF7psZ/DnNIbYpcS72zhH3QXCA51Vzm5x3Sfr9u/+hrHeBQzYjDPhbdf6iqOOOVyeXgGTrjl2mUDwzMBTuRTpbH9FSWEm5O+7m1ayqlAyjmKZ6AefuYoA3AgSr6oArN2zDyk/c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=nZGSEx9p; arc=fail smtp.client-ip=52.101.43.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="nZGSEx9p" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Ip5e9lD4CiNg/sJpxUR8DjnliNS/N/Hn5BWGZQNvSSyKnxo2VqcVuZ9+8h/+Mea4TJuCVuZyLImzL1RT8U7c5+kjOsIKfEg4s/aMAMCmFmH18dW0zDw/0rq7M12Zlc7exULhsGYCcgXtLbJrzMViqOu2aExtFXO02rCyNS7pOVJyub/ogT5DFNJ3TS64+FXrIBlRSqXqWTL7iq4f3q1Q8QgSglCdo7r6CVH4NUKBNWYk+kPFmzq5bNdURFON1zY+qkSnOR2JcBHqf0zONdkHjdFZiBv1v4riwVpMnvUqBzZiB5eLroBGOrRagSKJxUogh6CQJrCT+gef6Od5xg+c+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dWNvwNU3G9i+nUe96uBuBDeWT+SjQAGZmET9NQQkc8M=; b=YorXAme9lM/zrCuBFYhB/NnybV3es9TsaiuEM2X7nWqYP1f49g1t7EBAaetDdNoI5jbKczQgtMnaovfICCQ2V3kxe93u1pYM755/ztlX6SOEm9Bci+qif46A+hk0u/6z8PEk7Q7kzC00r7K6hBsBkiWhaEyz72x0nwIzQeW520NiUA9gkpMIMCwWkBmzO2Kg4+1/erzfr97xBpEqWJPs7SDpdUrotULkOSPESR4923FfVejJqTPE6ucBkgXFhTksX3RoQu7yUCZGC369JPX50a6KfRQzOEsla2aow+bupvZD7ipKNlrGPxMBNHkyttBKiTLC8mASJigyG8fXMUu/8A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dWNvwNU3G9i+nUe96uBuBDeWT+SjQAGZmET9NQQkc8M=; b=nZGSEx9pMb0y7exYDqwW8PFgyRAqB9DohRNqSbd37J5ve4H3V+ARCRg3kxnft6Nyb7mirqnSiOsLIU3++jeQmbHNkl6XdNdNL8swob4Gx79MSKHyfrQr/fm/IrH96yn6v3ttWhKWDaAFHKZEOs5oSTFVPsmmkvId7Rec/pm7nmuhLCFy4ayVSI8Yy6qzFx+RAhsH6eJo2ZAOrHLtDpKMR2Hg7V8ol5yCoZNC7OTt0ZcQK3Gpnl2j1VykTPegByidpwZm9ohNS1Stf6Q2CgKmlKnqEExXV44zCvz44EbzZSF4Pe5wJfA3kskRUAQVMnani+I3YC72FtQ8XYpRChk/hg== Received: from DS7PR03CA0358.namprd03.prod.outlook.com (2603:10b6:8:55::7) by DSSPR12MB999236.namprd12.prod.outlook.com (2603:10b6:8:374::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.19; Mon, 6 Apr 2026 09:12:20 +0000 Received: from CH3PEPF00000015.namprd21.prod.outlook.com (2603:10b6:8:55:cafe::94) by DS7PR03CA0358.outlook.office365.com (2603:10b6:8:55::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:12:19 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CH3PEPF00000015.mail.protection.outlook.com (10.167.244.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.0 via Frontend Transport; Mon, 6 Apr 2026 09:12:19 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:08 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:08 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:12:04 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:21 +0300 Subject: [PATCH rdma-next v2 10/11] RDMA/core: Fix rereg_mr use-after-free race Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-10-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik , "Maher Sanalla" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=2925; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=HD3aLo6Y2la0d4ALg5OXwr7GfoYNm3Y3+oMXGY0tChc=; b=Yx+sJKBIXk9udyiga2cbPR49zU8b2vd/g3yhj3icZ3v7Iy0vbHi2XgqOur3aEEDO0bLvdjTi6 0lJ4tw5xJ41BcDzGHHvgr8SJSz00HTmi3BVJZD+kuSV1qpM7XqV3vpP X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PEPF00000015:EE_|DSSPR12MB999236:EE_ X-MS-Office365-Filtering-Correlation-Id: 4dfa6d7b-3611-46e9-4221-08de93bc9b1f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|376014|82310400026|921020|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: zZjRUADN+/OJ7ahMAoh8q3fw6UtRcrh2yae9vitRc2uwZ6JD+zz+P28/ptvxrMDvK3BWcZFrDxvny89fc99WIn1pCcI1/f4xdGcC8fThDV4Lx5kDA8HVApCWpl/ihrMO3yCkKdMhnM9yaFfa6K5u6cLiwKB2Qs6ahCUuNMIZk3xXWzTVFYGVi20ThXyMg7CaDfk9F0gR8g9a6dH46Io+TzIq7rsWb4naG4UjYJ9LRp2NYBMl8aVs4vlsDiqQ/W2RWcqIJP4fNUf935ptxTl2saiFtdU/XXKEqyrDhmWr+GfV28J+ZJl1eMbh5ICJQRWa6u58MaMvTNJSX3IWM/fXvGJinqkI/+OBPljznTr2oQV4u/GTk9tfAGFhlDGEgHMSu8szZOUwaZZquQhdp53GONpqYipq7b2BYGfWp5nQmkT8Fsv+eBzIXxeYbZQn++cLHXJxE9Mqe5EfGryd3V4cMQ+YvD3r8XfDfaRVkiTQ9VN/EhOI/VufwFL+R6/7GlF2xsWSSY3UpOL2eYzI6/fM/a1tBgAd6sWzRLrTJBzFHlY9wsEvDy6+O3VIoO6ZNoC4wHyPkqnRhEU/zP7vo7j6x0QxOXcDCUjh+jZY3xtne5PreVFRKijOwr32oPrsrAL8tRQW8mnEMi468Kclg5XsMvZKmfMSbFFKG/Klz9cWKT8w/xMpber+9SHkTLZ5pTFDP6P/085UyLd4usEpo/Cwfpv4h+MTxdCzhBptfsE1LP+l/VxtvVSsJeZMs4HxMV/Rs2uQEFNx9FQuNYZDUFHjhzSLzkllM9UeRcEYO3icV35OBAa6MTUnQq1RVJ2Ub9nJ X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(376014)(82310400026)(921020)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Pwo3fzMEhHgLnTaZy2xJX8zaQauYmRkpRWBSm+tBwC7dnyrq1GuGWa12vp61AjARTzo64n40+IYki/hgjkZ7NxOe1UyM2uhOXD+3iY1+FsHJOf3MvvWtPgUTvcHkHIEo75/bM2zLB00MQ5rWTFXv1xf3Q6srrwW9j8OQvdYHpdwjyZQp9LVmLYd/jMntr0LqtX+4oWm3/Kdj+1OQ4ZSZpjkdCxHYha2Oyb3DVhl/cHL9bjrH0mOLpjX9ursejqsqz7S1DCEfRq1k33QdUkKu4Sl3sImwqEE/s6sf0ZfHmyIBLZp3QbYi+5OoTE2KRoWbjczugpI2Xh4lKMY5IYdLg0CDVUtvbRqzH24RrDooChFSYDHrRrNHnS3lMFlDkeL0YwF4V/NHAoQ9BKBkxmpFuROM3VXnpxTVjvpMqj/IG3xIexLl7fFrhfvTwLFoHLz0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:12:19.7351 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4dfa6d7b-3611-46e9-4221-08de93bc9b1f X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF00000015.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DSSPR12MB999236 From: Michael Guralnik When a driver creates a new MR during rereg_user_mr, a race window exists between rdma_alloc_commit_uobject() for the new MR and the point where the code reads that MR to populate the response keys. A concurrent rereg_mr or destroy_mr could destroy the MR in this window and cause UAF in the first thread. Racing flow between two rereg_mr calls: CPU0 CPU1 ---- ---- rereg_user_mr(mr_handle) uobj_get_write(mr_handle) -> mr0 mr1 =3D driver=E2=86=92rereg() rdma_alloc_commit_uobject(mr1) // mr1 replaced mr0 and is unlocked uobj_put_destroy(mr0) rereg_user_mr(mr_handle) uobj_get_write(mr_handle) -> mr1 mr2 =3D driver=E2=86=92rereg() rdma_alloc_commit_uobject(mr2) // mr2 replaced mr1 and is unlocked uobj_put_destroy(mr1) // Destroys mr1! resp.lkey =3D mr1->lkey; // UAF - mr1 was freed! resp.rkey =3D mr1->rkey; // UAF - mr1 was freed! Fix by storing lkey/rkey in local variables before the new MR is unlocked and using the local variables to set the user response. Fixes: 6e0954b11c05 ("RDMA/uverbs: Allow drivers to create a new HW object = during rereg_mr") Signed-off-by: Michael Guralnik Reviewed-by: Maher Sanalla Signed-off-by: Edward Srouji --- drivers/infiniband/core/uverbs_cmd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core= /uverbs_cmd.c index a768436ba46805a81ab5a0b8acd4d64b4f2b1b51..91a62d2ade4dd0ce402604ec283= f8cdc70d2ef06 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -778,6 +778,7 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle= *attrs) struct ib_pd *orig_pd; struct ib_pd *new_pd; struct ib_mr *new_mr; + u32 lkey, rkey; =20 ret =3D uverbs_request(attrs, &cmd, sizeof(cmd)); if (ret) @@ -846,6 +847,8 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle= *attrs) new_mr->uobject =3D uobj; atomic_inc(&new_pd->usecnt); new_uobj->object =3D new_mr; + lkey =3D new_mr->lkey; + rkey =3D new_mr->rkey; =20 rdma_restrack_new(&new_mr->res, RDMA_RESTRACK_MR); rdma_restrack_set_name(&new_mr->res, NULL); @@ -871,11 +874,13 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bund= le *attrs) mr->iova =3D cmd.hca_va; mr->length =3D cmd.length; } + lkey =3D mr->lkey; + rkey =3D mr->rkey; } =20 memset(&resp, 0, sizeof(resp)); - resp.lkey =3D mr->lkey; - resp.rkey =3D mr->rkey; + resp.lkey =3D lkey; + resp.rkey =3D rkey; =20 ret =3D uverbs_response(attrs, &resp, sizeof(resp)); =20 --=20 2.49.0 From nobody Mon Apr 6 23:16:26 2026 Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11012069.outbound.protection.outlook.com [52.101.43.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B673431F9AC; Mon, 6 Apr 2026 09:12:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.43.69 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466753; cv=fail; b=CCOWKVWDTEP5YIxVbMdwn6YIlkej9SeyaoCJWLEwB/Q3+FzdlQ7YJPtB4OdIqa0FGbVdislsBkMuDu2lYzGdeVBKAovScGZssjrnIjDmainyO1ftKEu2k2IG2aLF512LGKfNDKmGvvIwU+gnyWsZ0sbVq1io/ebmyxI7kLZnJBo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775466753; c=relaxed/simple; bh=pLtveQ9h9fAit3VeDerFBCBbRTBmXfUqieTZB5hUxoM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=BcW2F3vMwrgHCkud6vV9DU60Vws3o3v5on250qgp25RjjhDkFis5MkfF74wUVIHCufNEXWQ2W+q+AqHItBTLAk7vByGMULtGvGL/OQ3A4xSOZkPuR0QVDFOwO+DeOK+W485FD5i3sJLOLqQUyptzx4k1SRSSMkJF+5m2qEbH7mk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=b33bTlhL; arc=fail smtp.client-ip=52.101.43.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="b33bTlhL" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EfF7npsRXuMHUH6jEtpI8f6JNBKpye3zzfMUwenFPG+SOzTpDiJPKSwLb6HntlThtL6W48QSedbqCfhLf4U2cifJBzwBfkQjNusdXk0KbbtylKR53Et4fARauuCyuBwgUR+K7G1DY8jUZ/s/5vMBBVmZZJ20uGRZAtxgS8/xfplV5PMMgk8CRMF0suMOdVimX9TomYvqyjf/eZO7vEDAbuMHzDrD4AiDJUnHjbRSNyf6c6SUsYBxtuEXYYNoMSVmO2g+otFHJmYWRIzieTOJ+or4/SO0qwtson/AEmo2ClFeFHpZzEi9qaf99RX7tQGiroumEq40cx5hkst8nQHZiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jTrjbWLFtoKEY6x9h5QzjWnLgD8OKYSUw/KIlOVmPO0=; b=th0i9lr6SQ33kKfdh+RhVx8nC6o5E9TeIBk+wGxRhY4Lh9H6Q2GJwwN+XWlPSc+7J7yWOtCN8rTYhcVzDalcC4wDa0ojJHtc1BkVB014jkgRh3ZPFHDGnS8/UBCzSyTYvpzW7qXFWSYzkk8iXxJZ2fNvsAcinvSR5RjNaVDinvrLQ1Y5z6zFWzFxGXhnuLfRlNOeA8OR7NzJGqY4as0hwdt1JBMvsn2j2HBgI4c8BB/7CW+3WkUfqZ8Y12yJWhkDGQQBTsdBcg/jEOTR8hoHriUwk/eg1leFljkYTF0yVEKG9F8bISJEbYKs0bprUz2i2hzngoEamjtnlC14T09W5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jTrjbWLFtoKEY6x9h5QzjWnLgD8OKYSUw/KIlOVmPO0=; b=b33bTlhLHNkpc+smv0vaGGQOTzg0JWC96zYTBDm3itKRh14xZk6XHdQXJw3OOeJ3GUTy7AQEEttCWKIqQW1KeOxsLkCEkt2UCYS11kFAGDaS6eCzq+TLP+FQQCi5j5EbKj9anl2T3XQLnlOYOi/NJPKLHejB1fO3wqmWSh6HBbB2cWUrAf9IMWTcZ2P5FNX1rHwR1tf/FyMPQajb5miD0CfuOQiNaDf39O4VZQfeqZgyO6I2oG0361dDgCXJo8yWziEJ/WmvJ8geMyXAECTQO+M6kOHKgBx9FH/kmtkOBmTtQZnP9hkQ4goect7czXY8iB/1k4W/pLRCxl4JMr2R+g== Received: from MN0PR03CA0008.namprd03.prod.outlook.com (2603:10b6:208:52f::15) by PH8PR12MB6964.namprd12.prod.outlook.com (2603:10b6:510:1bf::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.19; Mon, 6 Apr 2026 09:12:26 +0000 Received: from BL6PEPF00022575.namprd02.prod.outlook.com (2603:10b6:208:52f:cafe::e1) by MN0PR03CA0008.outlook.office365.com (2603:10b6:208:52f::15) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.32 via Frontend Transport; Mon, 6 Apr 2026 09:12:26 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by BL6PEPF00022575.mail.protection.outlook.com (10.167.249.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 6 Apr 2026 09:12:26 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:19 -0700 Received: from drhqmail203.nvidia.com (10.126.190.182) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Mon, 6 Apr 2026 02:12:13 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.126.190.182) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Mon, 6 Apr 2026 02:12:08 -0700 From: Edward Srouji Date: Mon, 6 Apr 2026 12:11:22 +0300 Subject: [PATCH rdma-next v2 11/11] RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260406-security-bug-fixes-v2-11-ee8815fa81b7@nvidia.com> References: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Dennis Dalessandro , Gal Pressman , Mark Bloch , Steve Wise , Mark Zhang , "Neta Ostrovsky" , Patrisious Haddad , "Doug Ledford" , Matan Barak , , Maor Gottlieb CC: , , "Edward Srouji" , Michael Guralnik , "Maher Sanalla" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775466677; l=5376; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=JtuYJg/MOIrpokiPmX/qHe3Cu7+SE4t4BwgkYUAL86U=; b=S1er0muFvFA4eV44N1h8yJyvChMCTUxKrC1/Zs8PJqzsplMIyIobprwlp+v04W5HP1QG4gFeF T1ZZPTWXCM7Bp4CMr2JZFqsExuoefnYPvCG5GG3I7v/5czwljTQZusa X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00022575:EE_|PH8PR12MB6964:EE_ X-MS-Office365-Filtering-Correlation-Id: c0cd573d-7af9-4241-5a9d-08de93bc9f2c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700016|921020|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: lhVbmS7QxxNPnEd2trSJPSdU8D20g/M8CpPGp/9NCQkSCATSpkgFqTeZwPtEe7pMe51hxeWXmFuQPLHOax7OlWXruIkUTR5tNZSSFRXwBL3tTOUgDMSevifmaGD+N35XG4qRbB6HXlHAp8/xhKVHv2SL9A+VGXR6hBV1Z201vRDSTDOnvSmi1yRiD+xIW+v630GLzerpraOb9uu6fyGOo/ehudAfTnRfZxTrmz6soop2PdVQ8+GbLfJhUY8nv9Q/sB6pNwgFn3oZdQC5YjJ4ScjT0oWsvi86NEITBWwrhITPFRweCsmKrQcsYF2rzJImEHikZ5Jp4AvNXEtnD2kLK8ItvhFmV7hmwtjHDwlnKjb4sHXxK7j0k/2pukVIgspjPBDj+Jk6/a5Z4qVCJC1661koNVkXUTbZKc9sh+7HL0wrfm4XQEpIbInMmw1LrqT4fcYC6yweaKe095/GKTRaBQAg3+j78FXleUvwWL2FANLdOe0y25s5cM0XbbtVGN2YqkVF2t8BJxG7CkgUnjkYxYKL5ehqf1orStxLMl6FbsF0RNXtD4HfivNYXS/FW/ixAI3datcDxB/p1Qs8eFhQadZB/yOZbTkr824AwqwiFr+6ullagYE0gu0QaHM/o6f1sg3JL74CT+Opl7KfQQdF2u6BUIdbaXQ/dKUhq/BgQBPYbAuZwOF9G2XIgVtpfiOrL2y77wIeYdiVDr5kFW85Nx90fQjGONwrerFcbZi/A3BrF8Zh02Ugu2VBMv+pLqvGz/UUUWeRMp3gDqalgdhYDug0Ogr2cTHxGzw8NIJbtExQ+pmhvGhJnZw2+bhuRqnx X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700016)(921020)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lQ853NCBt9OPWkLbzvurfn3UX+OGzGgUKHill50ZL5iXjwTt5X7G/lNRNyiuJcSrMPLcDqPG1shHcRJbGXuC46e6PuCx41e8Fv1+iUKAsUIIy4c4Up9DAbMSlDOhfXv67Vt3yK4a50+BoRsEtJnyXzhi6kDF9MjdRvrvRgYhOzzU0yDiNZ4TQD/OUaQSnxqv6+cJm51h6xVyCyJv6zSNIXOr+2W8SWbzfPSexx1NNg3+SPw5HlJ1gbqW2tk062ZmwGY80AHDqpnx/44gLmGabH33pRkvno+cNuHq5N4vnGtSnZ8FOW4ziFye7qU4Qqy1Ji0zlUuSJe7i1Fw6KxMOdGILOYM6DpwGngwAz2ukmwd0OTAKJ6auo45IhqtPciUn1betEKfMekHWy/3G03FtDMLulxV4276hsnnCyA52uKB3IS3OPn0sLZg5Chwsvhcu X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2026 09:12:26.4996 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c0cd573d-7af9-4241-5a9d-08de93bc9f2c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00022575.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB6964 From: Michael Guralnik Raw Packet QPs are unique in that they support separate send and receive queues, using 2 different user-provided buffers. They can also be created with one of the queues having size 0, allowing a send-only or receive-only QP. The Raw Packet RQ umem is created in the common user QP creation path, which allows zero-length queues. Add a later validation of the RQ umem in Raw Packet QP creation path when an RQ was requested. This prevents possible null-ptr dereference crashes, as seen in the below trace: Oops: general protection fault, probably for non-canonical address 0xdfff= fc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 6 UID: 0 PID: 3539 Comm: raw_packet_umem Not tainted 6.19.0-rc1+ #16= 6 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6= ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mlx5_umem_find_best_quantized_pgoff+0x37/0x280 [mlx5_ib] Code: ff df 41 57 49 89 ff 41 56 41 55 41 89 d5 41 54 4d 89 cc 4c 8d 4f 3= 0 55 4c 89 ca 48 89 f5 53 48 c1 ea 03 48 89 cb 48 83 ec 18 <80> 3c 02 00 44= 89 04 24 0f 85 01 02 00 00 48 ba 00 00 00 00 00 fc RSP: 0018:ff1100013966f4e0 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: 00000000ffffffc0 RCX: 00000000ffffffc0 RDX: 0000000000000006 RSI: 00000ffffffff000 RDI: 0000000000000000 RBP: 00000ffffffff000 R08: 0000000000000040 R09: 0000000000000030 R10: 0000000000000000 R11: 0000000000000000 R12: ff1100013966f648 R13: 0000000000000005 R14: ff1100013966f980 R15: 0000000000000000 FS: 00007fae6c82f740(0000) GS:ff11000898ba1000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000000 CR3: 000000010f96c005 CR4: 0000000000373eb0 Call Trace: create_qp+0x747d/0xc740 [mlx5_ib] ? is_module_address+0x18/0x110 ? _create_user_qp.constprop.0+0x18e0/0x18e0 [mlx5_ib] ? __module_address+0x49/0x210 ? is_module_address+0x68/0x110 ? static_obj+0x67/0x90 ? lockdep_init_map_type+0x58/0x200 mlx5_ib_create_qp+0xc85/0x2620 [mlx5_ib] ? find_held_lock+0x2b/0x80 ? create_qp+0xc740/0xc740 [mlx5_ib] ? lock_release+0xcb/0x260 ? lockdep_init_map_type+0x58/0x200 ? __init_swait_queue_head+0xcb/0x150 create_qp.part.0+0x558/0x7c0 [ib_core] ib_create_qp_user+0xa0/0x4f0 [ib_core] ? rdma_lookup_get_uobject+0x1e4/0x400 [ib_uverbs] create_qp+0xe4f/0x1d10 [ib_uverbs] ? ib_uverbs_rereg_mr+0xd40/0xd40 [ib_uverbs] ? ib_uverbs_cq_event_handler+0x120/0x120 [ib_uverbs] ? __might_fault+0x81/0x100 ? lock_release+0xcb/0x260 ? _copy_from_user+0x3e/0x90 ib_uverbs_create_qp+0x10a/0x150 [ib_uverbs] ? ib_uverbs_ex_create_qp+0xe0/0xe0 [ib_uverbs] ? __might_fault+0x81/0x100 ? lock_release+0xcb/0x260 ib_uverbs_write+0x7e5/0xc90 [ib_uverbs] ? uverbs_devnode+0xc0/0xc0 [ib_uverbs] ? lock_acquire+0xfa/0x2b0 ? find_held_lock+0x2b/0x80 ? finish_task_switch.isra.0+0x189/0x6c0 vfs_write+0x1c0/0xf70 ? lockdep_hardirqs_on_prepare+0xde/0x170 ? kernel_write+0x5a0/0x5a0 ? __switch_to+0x527/0xe60 ? __schedule+0x10a3/0x3950 ? io_schedule_timeout+0x110/0x110 ksys_write+0x170/0x1c0 ? __x64_sys_read+0xb0/0xb0 ? trace_hardirqs_off.part.0+0x4e/0xe0 do_syscall_64+0x70/0x1360 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fae6ca3118d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 73 01 c3 48 8b 0d 5b cc 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe678ca308 EFLAGS: 00000213 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffe678ca448 RCX: 00007fae6ca3118d RDX: 0000000000000070 RSI: 0000200000000280 RDI: 0000000000000003 RBP: 00007ffe678ca320 R08: 00000000ffffffff R09: 00007fae6c8ec5b8 R10: 0000000000000064 R11: 0000000000000213 R12: 0000000000000001 R13: 0000000000000000 R14: 00007fae6cb71000 R15: 0000000000404df0 Modules linked in: mlx5_ib mlx5_fwctl mlx5_core bonding ip6_gre ip6_tunne= l tunnel6 ip_gre gre rdma_ucm ib_uverbs rdma_cm iw_cm ib_ipoib ib_cm ib_uma= d ib_core rpcsec_gss_krb5 auth_rpcgss oid_registry overlay nfnetlink zram z= smalloc fuse scsi_transport_iscsi [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]--- RIP: 0010:__mlx5_umem_find_best_quantized_pgoff+0x37/0x280 [mlx5_ib] Fixes: 0fb2ed66a14c ("IB/mlx5: Add create and destroy functionality for Raw= Packet QP") Signed-off-by: Michael Guralnik Reviewed-by: Maher Sanalla Signed-off-by: Edward Srouji --- drivers/infiniband/hw/mlx5/qp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/q= p.c index 69914406156c448e9f1cafbc8165d04e120e36bd..95229fd3627447510dafcc798c3= 6158ed6991233 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -1603,6 +1603,11 @@ static int create_raw_packet_qp(struct mlx5_ib_dev *= dev, struct mlx5_ib_qp *qp, } =20 if (qp->rq.wqe_cnt) { + if (!rq->base.ubuffer.umem) { + err =3D -EINVAL; + goto err_destroy_sq; + } + rq->base.container_mibqp =3D qp; =20 if (qp->flags & IB_QP_CREATE_CVLAN_STRIPPING) --=20 2.49.0