From nobody Mon Jun 8 04:24:59 2026 Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11010022.outbound.protection.outlook.com [52.101.201.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B280D1DB356; Sun, 7 Jun 2026 18:18:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.201.22 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856335; cv=fail; b=E24Am8xcduuon3wfXsVSCugDE91nTluArpM9+iZbaWk9zjYBbkSOLCP9kjk4iBs3rXrYKJxiQEteneOSOcRdqXWTkSVmZfuSsXkuGZcSDR7G9vPbppnttArTZAvuGdLE3u/DZjBTTmhFxwbyEPP/JznHWpglwjqE4Ti9omG42Mc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856335; c=relaxed/simple; bh=tnWsi7hP1kr+6qOXEDajMLmwUQczZktE2zegLvuSPVs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=WMJIXQm3xxpCi92Ktr/0CohhJiT8OkdvpOapN7zGGqOufEuHkAfF3X4QojfrQySk4HHRSz0ZvrWdZqv9uT/ALgv3n+sbX5D1en8ZUJ15nX3bUDmkV/xDoGTjuj+XhdRw1eBw9l+ifosRKBw4nex+2/Wy7biuC6+W5vDzOXKChDY= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=cwaJJPJD; arc=fail smtp.client-ip=52.101.201.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="cwaJJPJD" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FcJnNA0qktn/P6RHDRwxENgOqtsbC5quBYV2lv+gBLwvI6YbqpKqZDXBz8wflkrb197n22oPJvjmQ/ymUy7mIdLI7cTv88mdoqQl1QV+onhdXzcKo3d4jsYDuwZZw512oBOaIvl4DnSrWfMUVJVumY0xbq4y9F4svt9SQJmBpn1pxD/Khl0+vetpeY44zlEyqteAv4b4I2qk4gnuv4mdt8VCPHbhbY3QL1R8MBb7sE2j8vmaQGzHbF3bw4oe84FK/s3kFmeVGuBCbgvMSj41pLJQlNX9q3AbZMSdepFBLaE9P7VpT2i5lR3hb4RD0FXVdj7kDrGMe6JRWw6z0H1Txg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=L8NAQVSTCp4D3cLjFn2VXuuGRkO1tKiay3f/TiEUst8=; b=EgFroGytu+M2wqjpO62DS/tW6yVr4fU2O/xlh4au84/nYsHMM6xdsCSyfdH/iSdGyKmd53mvk/bAvlmWm3WcDH2HG/sB5W3AHSU5VAR0SFJ59QxI92zekhHKCzW5PLF9mzbKq6VpS004AMpNulyWbZisLhrMPF48HHjT4iUmkSK0qkD46aMbQN4NIH19FuyiDdK3DwIJRmZmP711IZ7qLgyGSw+O3khAS9RXSDvjVYkqSmaiQ/qa7WeHDNaOcgsvVVXLkXZn/+8n79NxNqSPUWPtZ1IFuF00FnMfPwXLTaffcwZrXq9U6Wm3VmLXmyeXvDjrx22wibCOJGDS+lo2nQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L8NAQVSTCp4D3cLjFn2VXuuGRkO1tKiay3f/TiEUst8=; b=cwaJJPJD1gN7sBDGW2tIqkv17LvV770N4aw5mlSo+oQZEWAEg+3P9WU3SLXsVyr3mofq4y+ivz3buagLqv5epYaM4Azh34RPmKMxrPPmsO985OBjXE/f2ZMTKA5X5rFFksxspAUkSoFx2i3eeVLrl2j6VEmeK5vuIXcB9+cr2RxAtFeTvMSHsIuYqNl2idPgl62xhyAMqSx0YyiW9dOxyefGC4XrvdMNyCJ/rYd/0DEOkawvdXY6Q6oielfHZkQvtqc68i3paQ3uqKIHbVigT/crCbLJGsfyKE/FupYhPcoEp8YtLqcz2Y0Q9q9jL82mTDh/U/if/tQc9678QFkjqw== Received: from MW4PR03CA0100.namprd03.prod.outlook.com (2603:10b6:303:b7::15) by DM3PR12MB9352.namprd12.prod.outlook.com (2603:10b6:0:4a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Sun, 7 Jun 2026 18:18:49 +0000 Received: from CO1PEPF00012E81.namprd03.prod.outlook.com (2603:10b6:303:b7:cafe::52) by MW4PR03CA0100.outlook.office365.com (2603:10b6:303:b7::15) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:18:49 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CO1PEPF00012E81.mail.protection.outlook.com (10.167.249.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:18:49 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:37 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:36 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:33 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:08 +0300 Subject: [PATCH rdma-next 1/6] RDMA/mlx5: Remove DCT restrack tracking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-1-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=2029; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=I3eCSvjor6tOhN1n50Dr+ed/Yc2Brub1ml3jF8a9GI4=; b=C6zh3fM+ZeiYygyey8/z1WzcjvIBHoMsBeutom5ch/jioQH0c0C7wh4XMTSmzCSzrZQpWZ8dR PEA5LIlC7N6D5kd0I8LS8q4sQayLH4gB0FXDqkN5HOPJj6ow17Oj5EV X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF00012E81:EE_|DM3PR12MB9352:EE_ X-MS-Office365-Filtering-Correlation-Id: 1d2b04b0-69e5-435a-3297-08dec4c138b2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|376014|82310400026|22082099003|18002099003|921020|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: deCN3RniN8VyO5Z74K5ycKnV/T9rZNi1fNyMoyTvhjbr9XJSLBnVichCCjGdRuwaGPXm5Fy28re94WW+Yw4wMYVIPobBBVfwJxwn0//bcPOkOXeIfln8RmE0KUOork7U4erZkdNqSeDnRUQkAjg81XTxN556bRyXluvbdQ37fjSeKo76wVXI4JltH1I3TD0SwcOsNLVI25g3sEV3A7ebkY5ypys2hZ1kPLYjNSu+frUhbebXS+bJQ0pHENA6ttZvSdefuWtYpW2BZSB+dDwb6DYlsTBrWTG3uSGbrzKeyGJs9x/8TI90Bxofe52+Oh5mjDQcQm/EUmbGqXFkQAZ6GcvhKTEiYL4sttM6z4n/tb/y4Z8cK0N9tLixXmVym89inB5q7AetrZJXQj00qqhTtOXtq4EDZteUxiEg5imkGvOlggGUYSuvj586OdXhPuf4b2biA2TfVaaeJTL8ob1TQT5CKy2zXjnbVbQtMeivfrYvjDwL7r0tcjscw+mwhLXeTZdwIvF1XRgASUXw/pHB/FetECb7PPKeMrJkwIg30BwM80HL91c8Vch8QCnZD5u7gmPdg4U0XBtsICCU+z16oLCNgKSPFmeIJk4UwJp2Y1NZIYmNxNQm0YFz9VeyHdjIJWw0IakOiqfDBilVukwbnWe1ADs97Loequ8kbr7GrEG1WDx4hWK0sT0EUQ8TGS7sscL5xWzkBCbxVSl0EClgzLGXwt/rii3jpmiJAhAlH72ziV7hY7WeOlAa5SLzjw6O2uICkeefaLBEys4HhS/5ZQ== X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(376014)(82310400026)(22082099003)(18002099003)(921020)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MFKjTLlIrmfsBYIR9ft9moNfM71D5oCtTDmZqAY1+cBqsIrveZVTK7Y9RgKXZkppBC+H5qPtQBh1+BtB0c7buNys1xNSkoiBo+fzQYXsXF8GgeeKvYgyRRL/xK5p03ML+ZeW3Oa23AtMViNBeHZDaGje/4t44t9WUSLF+SCHUNR3jN/Fb615F3t+N37of3iSam58WMJsN063ySzZa+GhZE9lSsIptEicq+6QEkupbD2pl04nqXu4rcLkC50q5RYLuCo6BgQd9NYjlVhGJQ7cSeFwqoTKR1m3y/1aDvQf7yIRc6OBzIWQ68HHf4XEmk3UMHZOShUSpl7SxJDsjLkroX8cStlFaUk6YINSpNkGW8hOlGCal3YStwnHS3xXcKOjhlBL+bcPw2wTjVeH6HldGV9rQbbNekYs8vg3berMdvTGQsHChE5aaqhNv9/mFKm7 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:18:49.0717 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2b04b0-69e5-435a-3297-08dec4c138b2 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF00012E81.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR12MB9352 From: Patrisious Haddad DCT restrack tracking wasn't working to begin with as it was only tracking the first DCT which was added, since at creation the DCT number isn't yet initialized because the DCT FW object is only created during modify. The following DCT additions were failing silently. Since the fix isn't trivial and there were no users that required or complained about this issue we are dropping this for now instead of fixing. Fixes: fd3af5e21866 ("RDMA/mlx5: Track DCT, DCI and REG_UMR QPs as diver_de= tail resources.") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/hw/mlx5/qp.c | 1 + drivers/infiniband/hw/mlx5/restrack.c | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/q= p.c index e8d34d54b43527e0595ec9e2fb93dc7e9bedba92..a16da733d99fa1f6fdb9ee86446= 5acf45a6abb3d 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -3135,6 +3135,7 @@ static int create_qp(struct mlx5_ib_dev *dev, struct = ib_pd *pd, =20 switch (qp->type) { case MLX5_IB_QPT_DCT: + rdma_restrack_no_track(&qp->ibqp.res); err =3D create_dct(dev, pd, qp, params); break; case MLX5_IB_QPT_DCI: diff --git a/drivers/infiniband/hw/mlx5/restrack.c b/drivers/infiniband/hw/= mlx5/restrack.c index 67841922c7b8770c86fb5a47588e09560d0004f5..00a9bcb2603f0b094bcef8a4ffe= 6564699a85769 100644 --- a/drivers/infiniband/hw/mlx5/restrack.c +++ b/drivers/infiniband/hw/mlx5/restrack.c @@ -178,9 +178,6 @@ static int fill_res_qp_entry(struct sk_buff *msg, struc= t ib_qp *ibqp) ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "REG_UMR"); break; - case MLX5_IB_QPT_DCT: - ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "DCT"); - break; case MLX5_IB_QPT_DCI: ret =3D nla_put_string(msg, RDMA_NLDEV_ATTR_RES_SUBTYPE, "DCI"); break; --=20 2.49.0 From nobody Mon Jun 8 04:24:59 2026 Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11010029.outbound.protection.outlook.com [52.101.56.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C90213FEE; Sun, 7 Jun 2026 18:18:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.56.29 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856333; cv=fail; b=sOzcc9vD2457SGR7qb1jIpKR8FKXbTXmrsYQ1eKEhOO8AIQ9W/F7I/Mcz88A5xn8jRnChla60jZBuo+CHrIE40oyU24l/Ccayn2kcY4n4yIW40kQCPiesYO8jLkm3FtG7X8nAk+LMsBB/sPUvHzeLUkFetF1r7MA0Tn0rH4Ppw0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856333; c=relaxed/simple; bh=a1g2v1YBvjhocTfZCEgP1qcJrWabrrCjy/CwTu4G8Tk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=mbOZMFMdrFHMHeikrV5pA9t15VdZ2ldxVsJEKCSYt7le5IfFzCVEEuMBAJYZJqSNaL81UTxF7MuE4wmy+Le959wxPv5rFldZSGVmQuKN9O1L5AYI3Zzmgy+zA+Yt0wRTSSOAl96B/XprCyKSB/nkn2pW/RcY7ZFOXCuIE9z0u/E= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=XkW9hcwM; arc=fail smtp.client-ip=52.101.56.29 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="XkW9hcwM" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fIJa0dsXylLFhpGdeBDS9rYW6BTyjtK1YmGd6ZNmoBtnoSGiXBHk9dgN9sfSp/mbHieUle1HeU2P2jUkYrs+2+Un3iSQN0sVz1V81EcklJ3pHj+glv/br9zzO8Tmyt1ruWG7dJ6VNkQ9Phet5ye+R/H7/rAWBdqG3plWJ7i0dj+dN8HnKJQmNf16yHP+2vSQ3P+rxwlbF8wB2RZeNvIoWOBzGCgx5Y/5aGdjVmn/lFQaX5lGlrQam6qQA4ePvgQTnYiMUXwrR+PiokRtHwy1/Adoy/Akk1qQSYDYIrgoCVlmfGiL6sWmNw5+GXjHR3IURxgAtdF1xq0PSdmKUhnDZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uxqCoYK9cSGBeu9TpEkn0pb5ThybRXr7nIJf6S5V7AY=; b=EEMCalmGLR6ojoUG37nXXXDpaEzehy9khW/WV3UGzI39CLBmuoDynByFv3R/oNepQL+/wH6G568hmuf6Uk9YcPMkLBP735DuvXyazg9omXef7IQWIeMu+0D6gHFiG3wAYh30DXw4kkdUzFg0y2V/QieYDsNf+1jrMyFInIiEXFYNES7OXEHRoK+ge3KKNE8EzS+7hKFzbnJ4u5/FgJpu8Tbdset5tAAcOF/viq07p6nOCb8zvGkAVYQ9OsDwB2OZ6qgSB79kymHhXPwNn5GApmUqphZ9l5SQUpptCaMyNFPcw9uM52DIZn3/w5XOzow0zml5v3nPkntgyzrWpoQfxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uxqCoYK9cSGBeu9TpEkn0pb5ThybRXr7nIJf6S5V7AY=; b=XkW9hcwM900lVieXKjt13o49QSQbH0nkUkpLnKzcXDILfpKIjEfBMbuCxUsOOzOen7vbZ4VGzQ+pyMqsGyiPw7BL24c/ba/BRon9n/S9BuVw/E+YE5HGun2tYE6iCjRn87ij2iU2N2uA2PfH7OMhKM+RO7/Qgj28pKdtqyAjYrtS8KfB1U2wvADO/YApSv7nfylF/HP87eM4VEyrTmTFsTG2Z2MB8KLA8bBSeoEe/HJ3xA+pbXrWkb0xAFPTb8/8UEjdEW4U+Oa+YiOkQNR3WozOezap8DQi3mrsEAAkMdeym9BLSShXzHiin4O/kKLxvZnvW6c//9Vy52woJJmpOg== Received: from MW4PR04CA0111.namprd04.prod.outlook.com (2603:10b6:303:83::26) by DM4PR12MB6614.namprd12.prod.outlook.com (2603:10b6:8:bb::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Sun, 7 Jun 2026 18:18:47 +0000 Received: from SJ1PEPF00002325.namprd03.prod.outlook.com (2603:10b6:303:83:cafe::80) by MW4PR04CA0111.outlook.office365.com (2603:10b6:303:83::26) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:18:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SJ1PEPF00002325.mail.protection.outlook.com (10.167.242.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:18:46 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:41 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:40 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:37 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:09 +0300 Subject: [PATCH rdma-next 2/6] RDMA/mlx5: Remove raw RSS QP restrack tracking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-2-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=1292; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=9tGJJV2RtEHUlmoA3QkRav3nmmfe0EesfGn/t0IIlOM=; b=uDr1rtK4SWl/IHzW07L+29lT2YptygUONd/En3IVeE4GSu7waEB87dZC9182l1RCNbB0NWAXA vQeWtqK2u1vCDioYF91koFN/jitzr92xOyxNS3Iih2FRda62cwty/kL X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00002325:EE_|DM4PR12MB6614:EE_ X-MS-Office365-Filtering-Correlation-Id: b1151f30-2285-4ce6-e270-08dec4c13717 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|1800799024|82310400026|376014|921020|11063799006|56012099006|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: 980JS3HR9F4JM9wxg37ZCipM9vICkxLxDgyoC7bK0envbw6wCM8vLWFxrutR3DuZg9w0KLYzGIqjplixl/hP33KOChrpBd2VqPc1l3c/NKjvFkJ4tcbWTR68K1Ib0x51rGwJhRMJZun7hVRMnt6YvqtdOSZR8zMqjoxx38WhFCQTaE5Kg49/VK2l0TadjzVpzqcI770PRYpNBoGo0XaGBcaC1zgg6ysUlLcNoO859NZRNasWf1zcf6EFM0Ld0MmMonj+3OFVwDIEvpwKB/1sBpmtUCCqusz62JpRn0q9UGO3AmSGOhg1Rq1VCKu7DaZ39uWaz97OKtp3NZgOgsC5H4YTbnBN0lkj+QrsIJlKQnypShGpnfVXcBhVTFWCY1S/omqJOLksqpX7paQZ8dd1uEEtxiDSJSDvFo7Cknrk3xWBcUco25TT+j3nzZnV9m6wsEasmdLiql2vZaS1rGSvMDQ/t4gWXqI4GUliukoSbaM5pjZa+vAbwY/93N3VCIV/fDX7yjhF54xxUh0FysMMtGHRjH4N+/mkghOuNbnszblXXr4f4gJwyBkWCbhl1bVjAPpYRDF+z73Q0e7/+ZGJY8tozzeaNnC8tsv4ObKog6eiwBgeZD6C76peP4VvEy643y0Ex/SKXlANjN/fDuOJN2WqwedIgl6/2B7geNfB4HgigouDBINF//7WLuscAlsCRcYgU++IchQmPUnr3TcI7nZtmEi1YITUjMcBHxjlgwSMj+qaayOCa8gkoVkfT6sSSplZ4a2VNFFQdk9L8c+SaQ== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(36860700016)(1800799024)(82310400026)(376014)(921020)(11063799006)(56012099006)(18002099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 1O1rehy/7DXBRgpXM1tPYffOUidYtvrw2oXm/ywX/XG+6iw4PqZ0XI9ClDJTfnUTlTQnnqYo77fIZRZhaUaTfbL4kdNp+oFVvJsU8U6Ge0XrCEPwlJCw1/gYecwq8Kkst7Yuh/4E3DXg22szukn2SwDrVIsTNy075FRzZfJY+2EdsheUpNOiXCVpPq9tcyPhvjDAVjsCVelE9FAs0dq/kqH/d8uOizqQOrRn5hcgi7HSIdD74iv75wRck0+tgWAfmVBuo4LKim1u7mpY4vWvSgG0U/fqv0QyNS4WYvXsbvff6qWlonccl2NuLKJMf7yEDgMKUrKd7tsHDPG0UeiSGIxUCeWOzhu8sUcNjxifNmaee+/T/4YxTQ0MEcb1jOquCqp0WNGJJt2IKwZBWD9Ctilt5c4sQQqJRQyIDV7G1u7bicNK3ePUqM0V8/F/IDo+ X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:18:46.4729 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b1151f30-2285-4ce6-e270-08dec4c13717 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00002325.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6614 From: Patrisious Haddad Raw RSS QP restrack tracking wasn't working to begin with as it was only tracking the first raw RSS QP which was added, since at creation the raw RSS QP number is reserved so the QP number for this qp type was always zero. The following raw RSS QP additions were always failing silently. Since the fix isn't trivial and there were no users that required or complained about this issue we are dropping this for now instead of fixing. Fixes: 968f0b6f9c01 ("RDMA/mlx5: Consolidate into special function all crea= te QP calls") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/hw/mlx5/qp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/q= p.c index a16da733d99fa1f6fdb9ee864465acf45a6abb3d..d7fffc0d818f39ca9c75b386811= fb016f547a32c 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -3129,6 +3129,7 @@ static int create_qp(struct mlx5_ib_dev *dev, struct = ib_pd *pd, int err; =20 if (params->is_rss_raw) { + rdma_restrack_no_track(&qp->ibqp.res); err =3D create_rss_raw_qp_tir(dev, pd, qp, params); goto out; } --=20 2.49.0 From nobody Mon Jun 8 04:24:59 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013052.outbound.protection.outlook.com [40.93.196.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 748E32BE026; Sun, 7 Jun 2026 18:18:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.52 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856336; cv=fail; b=J34hr/laFOPbPjvj0KQUdxys58xzAvwtLoJC722THvczuIuuHw6McOeiPTIxOXyd+Pqn3jbuMahps3Cj7Otue18578Xb2mUu3pL5MEZwcUrfIXf1wNR4UmFMm1vPpxnzToFqe1ro8Uarv/B/YhHZWywYHvmreVlj526w2ocxwfE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856336; c=relaxed/simple; bh=Cx1flle/7XD7chI4sJWp87NBCr7T3R7OMDdsvcz1kJo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=F5OnxHEqEm5S9uGWZAelZY9YNQgYVT+Ewa78NLODiQVUIz3EueQyXrbHIw7wHpE2FjaJECWv+efsWQJH1SKhZVo5hY+U08TwTHkoXseWfDHuFEpU+TxezfhbrKcjFyWSthaGCCx3yxlF5W5myJZq+zhfrsoFeQRc3lfbbJ8Yqfw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=puvrGNHJ; arc=fail smtp.client-ip=40.93.196.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="puvrGNHJ" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PDzFM1SJruoMRMT1d8At7pP1rB0clH7a9R9CPoR1IdbDtzs7EJkFLBVN24rzZo6XpCVgTqYyi5w8bjVCso7m7q90uZBdgREmOJc1p7RRhmc0JxfuFhmhZgtPU8/RA2flvLcX7PLrCukIgsGbMR+MHtiv4sZSOuDMt9XBPGVJ4hFnQztQ3bYLl+Wt+iqa1K4zVeNDfW7DEiQpnOP8yTK59L54aG4j9H/MHU+BGq3Esc/8D7mX0FhaKDwaTiC0GPlzttnJCRb7xLf0pBZFiZ66gxmHAg0aszEWiVh4YtPBrS5NNAwcnL7llC6nOtZIlMXYYQ2Ffe3z2SFVX5Kaa7LhCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zlUsdSe+uvMgCzXrknpA5KkFgML5XCyxy8pBZjumdEs=; b=hauYbLYxqseexPsznKGIuuzM8irEpjR9/6ne1AyRxiCQBMawx97y8RX0ueRbeQLY5kQ4kNzjOQ/g600d4VlgdzyNPcE5FM5AZxf+BZDQZDxXWqf9L5N3SIDeUqXNCDtOV7W/q9iXHFoys/gObiiYFmTY8bPF4vRB4Q7XfUY/VZ76n6awbL0bresB8O2pgzDhc+KyblKM8173b2ko+vWJiUIEN5/eTY7m0P9N/88ImSbDZt66NXQX7t9HsH+y1FEv2lAJ6ixnIhey47aEK/VBFqGCLSL3Jp1LW5368bbrfaMmNn2d5aN1D05AFROccqN0lKT5HMzrkoF/j8RxPz57TA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zlUsdSe+uvMgCzXrknpA5KkFgML5XCyxy8pBZjumdEs=; b=puvrGNHJ32XNPiAOAZ3wOQaiNRM82VucMqtTdbB59D0ghlgyJ+soweW4NbP1JHqEnmVw5SiqPtN7K4vrRX5PwPR2S2X35tfrIVWjPJSg31INrxmD2TiNuT5wiuUpIdA/D/tRm2oLfQPUBmdHvNB0lZxh0f0Cf8z8qNfsdW/wUCtydtzaH7MRucxPd3teE1uPAgifd/eZ7Th26/ociAf7sET+lSLMZPMyMRuNcdkMJkYQSzFcO2OzAxWqJrzzEVzBsbfuXBnT/ZOLq26rVGZ3WL6OQm7wAlIRcFbl0cyKEpOsgSmDg7eCHtulvj6sTLtlKftyeYNPrRMtzNf5+tiG2Q== Received: from MW4PR04CA0102.namprd04.prod.outlook.com (2603:10b6:303:83::17) by EAYPR12MB999180.namprd12.prod.outlook.com (2603:10b6:303:2c2::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9913.11; Sun, 7 Jun 2026 18:18:50 +0000 Received: from SJ1PEPF00002325.namprd03.prod.outlook.com (2603:10b6:303:83:cafe::98) by MW4PR04CA0102.outlook.office365.com (2603:10b6:303:83::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:18:50 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SJ1PEPF00002325.mail.protection.outlook.com (10.167.242.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:18:49 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:45 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:44 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:41 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:10 +0300 Subject: [PATCH rdma-next 3/6] RDMA/core: Add rdma_restrack_begin/abort/commit_del() operations Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-3-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=6491; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=hn7OBqlvlq8hHFKWz1FXL5TLVjD6IgfP5TDgfn2sUw8=; b=UPI67wwJX+6Q8OQ4IEACV55E5X5UZLj9A2A1nVqIjaaSw0nuXJr3DpqRLz2Kf9FvjjDnH5yM7 KBT3KcJmSvsB4Mf+EndD11EThvTi7erSbYgs7sP78HPaDw4xd336/nO X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00002325:EE_|EAYPR12MB999180:EE_ X-MS-Office365-Filtering-Correlation-Id: b92344e3-3cb5-4568-9f9f-08dec4c1392d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|36860700016|82310400026|1800799024|22082099003|18002099003|921020|11063799006|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: CBmdwe380cO8XwMPvIVQW/l54grelFBpfglza0olp0rQmOc6VCTyMa5YL4yw4gavZgQ+V8GrFMhYDLsb0FOIgNwlxVcbX9CZIfJP6xxJvfqFo22LZPsOAhV6GXjGqt0Z8IN3YUGoUTEevuSm+VBgRhNRSc0FHXO2U3OhuNL5xnHYCyp5OrSzUaq55HdOZz/u++rQL/4ro9m9rMArm+90VXTREH5MkXw4Is8OAJYazcWw1JELVjSYw+h8xAEYO7zwwmrngMT8Xri/sTsgVKaJNPOX30RLvydqFuGjbuitHermyWXYC+5nDKHgijfT/NRL+WASWoQtfo9pYdDx30BpbMXL0qimOWQaZUTHxiGHyAsZJMZkbqI2HyUH7o6pki0eMNQv6KW3/m0/KWYevzBrN5d5mNFE0LGc0+bfjUlTzGFkzv10/ZWOrArcRM8PjsPd8bCJnCPnf8rAI3/YrNDXOR1RM0Ukqarxt5DBvLUs1fPGP6P95RTOQOWUBsLNvswbjPHszldf+Z1sJ/2ixv0ScXMdVOkmCnrhcobd4pcKI3A7orXvzZ4poUfKJ5me45fusZqa0jkewLRRbQWZOBVfym9oSEPALaVombrncXbVKyK2ciBrtY/2xeoo8Tk1j9FApxtG2dIPiozBX7yWb2Ta83ImsujboniPSSIQgCRW3OhF8MwdZsFvfdrTkEaWeJN8vVKQ3+6rA5Bwxp/VU7jPdX1yxfvuxblWL3qWNIl1lH6zn3+m/XFM6oBp/kO9Mgwtxv1ulZf2QsVWslZdyLzSWg== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(36860700016)(82310400026)(1800799024)(22082099003)(18002099003)(921020)(11063799006)(6133799003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: NQ6V7+Sl2WcXWTw9c0IuF0mYU+vduLeha2lCjykCTAaIVfrqDlRd19aNQa2rzE5s4SJQ5HDDFjuEgkmaPlN4jHI3El5YmG5MSGOaGvONB7oY16YmJKJLAZSuGO5FNp8JaaIhxRL22NPAvpmu4swTa+34mCtdU+AVB5V0zOD4S6iImVLL1ULrQsNVx0e9H9PwC3csNduI+umGPiIHBOYWlaFkftNBjN8kEmJCXkwCxVesA0WNKPNJVU31ezuhkJopxAvdFeWmMfjL/CQbYmBP1yctVq8bkZ0AqAb8ekbmhhQPCrpbFLQ3zVrs3b8PEjBYSB42xwfOW8bB5XJKw7Uiog3FciLlS9AhJzpUHl0SkVnG7zPQjgXKkWqhVoS4kYATWEzwfqpDeOG1V3oRF34M1FQpsT4kfjFy7VP6ssVP6chVQ/kmeXxYeR70yzAg26p0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:18:49.9925 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b92344e3-3cb5-4568-9f9f-08dec4c1392d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00002325.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: EAYPR12MB999180 From: Patrisious Haddad Add rdma_restrack_abort_del(), rdma_restrack_begin_del() and rdma_restrack_commit_del() functions to allow deleting a resource from the xarray to effectively prevent future access to it and wait for all current users to finish while preserving its index in the xarray to allow to re-insert it if needed with guaranteed success. This is a preparatory change for subsequent patches in the series which will use these functions to fix the cleanup flow. Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/restrack.c | 120 +++++++++++++++++++++++++++++++++= ---- drivers/infiniband/core/restrack.h | 3 + 2 files changed, 112 insertions(+), 11 deletions(-) diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/r= estrack.c index ac3688952cabbff1ebb899bacb78421f2515231b..97c8991081a49ff4f74d65c6c1b= d8ca647aa72d1 100644 --- a/drivers/infiniband/core/restrack.c +++ b/drivers/infiniband/core/restrack.c @@ -71,6 +71,8 @@ int rdma_restrack_count(struct ib_device *dev, enum rdma_= restrack_type type, =20 xa_lock(&rt->xa); xas_for_each(&xas, e, U32_MAX) { + if (xa_is_zero(e)) + continue; if (xa_get_mark(&rt->xa, e->id, RESTRACK_DD) && !show_details) continue; cnt++; @@ -127,6 +129,16 @@ static void rdma_restrack_attach_task(struct rdma_rest= rack_entry *res, res->user =3D true; } =20 +static struct rdma_restrack_root *res_to_rt(struct rdma_restrack_entry *re= s) +{ + struct ib_device *dev =3D res_to_dev(res); + + if (WARN_ON(!dev)) + return NULL; + + return &dev->res[res->type]; +} + /** * rdma_restrack_set_name() - set the task for this resource * @res: resource entry @@ -180,17 +192,15 @@ EXPORT_SYMBOL(rdma_restrack_new); */ void rdma_restrack_add(struct rdma_restrack_entry *res) { - struct ib_device *dev =3D res_to_dev(res); struct rdma_restrack_root *rt; int ret =3D 0; =20 - if (!dev) - return; - if (res->no_track) goto out; =20 - rt =3D &dev->res[res->type]; + rt =3D res_to_rt(res); + if (!rt) + return; =20 if (res->type =3D=3D RDMA_RESTRACK_QP) { /* Special case to ensure that LQPN points to right QP */ @@ -227,6 +237,37 @@ void rdma_restrack_add(struct rdma_restrack_entry *res) } EXPORT_SYMBOL(rdma_restrack_add); =20 +/** + * rdma_restrack_abort_del() - readd object to the resource tracking datab= ase + * it can only be used after rdma_restrack_begin_del(). + * @res: resource entry + */ +void rdma_restrack_abort_del(struct rdma_restrack_entry *res) +{ + struct rdma_restrack_entry *old; + struct rdma_restrack_root *rt; + + if (!res->valid) + return; + + if (res->no_track) { + rdma_restrack_new(res, res->type); + return; + } + + rt =3D res_to_rt(res); + if (!rt) + return; + + rdma_restrack_new(res, res->type); + old =3D xa_cmpxchg(&rt->xa, res->id, XA_ZERO_ENTRY, res, 0); + /* The only way this can fail if someone called this function + * without first calling rdma_restrack_begin_del(). + */ + WARN_ON(old); +} +EXPORT_SYMBOL(rdma_restrack_abort_del); + int __must_check rdma_restrack_get(struct rdma_restrack_entry *res) { return kref_get_unless_zero(&res->kref); @@ -263,7 +304,7 @@ static void restrack_release(struct kref *kref) struct rdma_restrack_entry *res; =20 res =3D container_of(kref, struct rdma_restrack_entry, kref); - if (res->task) { + if (res->task && !res->valid) { put_task_struct(res->task); res->task =3D NULL; } @@ -284,7 +325,6 @@ void rdma_restrack_del(struct rdma_restrack_entry *res) { struct rdma_restrack_entry *old; struct rdma_restrack_root *rt; - struct ib_device *dev; =20 if (!res->valid) { if (res->task) { @@ -297,12 +337,10 @@ void rdma_restrack_del(struct rdma_restrack_entry *re= s) if (res->no_track) goto out; =20 - dev =3D res_to_dev(res); - if (WARN_ON(!dev)) + rt =3D res_to_rt(res); + if (!rt) return; =20 - rt =3D &dev->res[res->type]; - old =3D xa_erase(&rt->xa, res->id); WARN_ON(old !=3D res); =20 @@ -310,5 +348,65 @@ void rdma_restrack_del(struct rdma_restrack_entry *res) res->valid =3D false; rdma_restrack_put(res); wait_for_completion(&res->comp); + if (res->task) { + put_task_struct(res->task); + res->task =3D NULL; + } } EXPORT_SYMBOL(rdma_restrack_del); + +/** + * rdma_restrack_begin_del() - invalidate the object from the resource tra= cking + * database but preserve its index in the array. + * @res: resource entry + */ +void rdma_restrack_begin_del(struct rdma_restrack_entry *res) +{ + struct rdma_restrack_entry *old; + struct rdma_restrack_root *rt; + + if (!res->valid) + return; + + if (res->no_track) + goto out; + + rt =3D res_to_rt(res); + if (!rt) + return; + + old =3D xa_cmpxchg(&rt->xa, res->id, res, XA_ZERO_ENTRY, 0); + WARN_ON(old !=3D res); + +out: + rdma_restrack_put(res); + wait_for_completion(&res->comp); +} +EXPORT_SYMBOL(rdma_restrack_begin_del); + +/** + * rdma_restrack_commit_del() - delete object from the resource tracking + * database and free the task. + * @res: resource entry + */ +void rdma_restrack_commit_del(struct rdma_restrack_entry *res) +{ + struct rdma_restrack_root *rt; + + if (!res->valid || res->no_track) + goto out; + + rt =3D res_to_rt(res); + if (!rt) + return; + + xa_erase(&rt->xa, res->id); + +out: + res->valid =3D false; + if (res->task) { + put_task_struct(res->task); + res->task =3D NULL; + } +} +EXPORT_SYMBOL(rdma_restrack_commit_del); diff --git a/drivers/infiniband/core/restrack.h b/drivers/infiniband/core/r= estrack.h index 6a04fc41f738010a90d96f88dbcc88bc36d3a289..45f2f06825f402324304113014f= a90da03ec6f88 100644 --- a/drivers/infiniband/core/restrack.h +++ b/drivers/infiniband/core/restrack.h @@ -26,7 +26,10 @@ struct rdma_restrack_root { int rdma_restrack_init(struct ib_device *dev); void rdma_restrack_clean(struct ib_device *dev); void rdma_restrack_add(struct rdma_restrack_entry *res); +void rdma_restrack_abort_del(struct rdma_restrack_entry *res); void rdma_restrack_del(struct rdma_restrack_entry *res); +void rdma_restrack_begin_del(struct rdma_restrack_entry *res); +void rdma_restrack_commit_del(struct rdma_restrack_entry *res); void rdma_restrack_new(struct rdma_restrack_entry *res, enum rdma_restrack_type type); void rdma_restrack_set_name(struct rdma_restrack_entry *res, --=20 2.49.0 From nobody Mon Jun 8 04:24:59 2026 Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11010065.outbound.protection.outlook.com [52.101.85.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B78C1DB356; Sun, 7 Jun 2026 18:19:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.85.65 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856344; cv=fail; b=E/xye5aLJTQB/u/JrwLTi9zm9DIbBXJ5DetbWfFrC87bU0dEQMPzpGRzIYO/Qx5qH3HDzlIPmaI5PEjTB5IJdR9DgYh5xCzIBGhskc18aUGHz8qSxL2xhrmg4zvKNZam0uf84gNPttOdJghFDC6fKS9g3qzBuLJ6sArTiFzXRIo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856344; c=relaxed/simple; bh=tmIbmiVTyxn8HE2XGHzlOQ5EfoBthHl2Z5nVsEWZk/k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=sbo76yPyfNfGL/yLYy3HFGMAg529e6ieP/l3MJllhTGgILg6r86Xd62UMP5ErhKrOZXQhAaW0SNQh9GySDdxzpfUOJ+84LxFZ6LncPo5ZEgOgqXgbhHsCcjP3ZGPft+mDbg8B76VHjszevG3HIjSd6+9NImAYt9Y7WUMqCREiog= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=EPC9j4oG; arc=fail smtp.client-ip=52.101.85.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="EPC9j4oG" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=k1yJQjnj8LKAALlB4sIhPRQI6f7BhGl1+yJpPIlI6bFFutjO/TqzNojypc/sgytsxeIHQrEy2s6SF5WiTwj+WaYJUV5SbeDAaYWI3s+6V31KdG58DZ6QiE340k/FU+N3Je7euHB6d2rST+Um5aBV6gIcIODI1lBJdrNjG0c1Gr+9SswKEiNjmQvidPnfAVe1XUpKTV/5d5RM4aStI061Rb2PC6gl2DvSy8aNvKIfEimTw4IlOj6rR3xdQfBtWA8nxZYffKP8jb2Ew6+RV8+781ZqAaJcyhcTlbNo4fzk4ox+KTIbdvbE9vmOICw8l6ViZIkOBA3uo+5wcMgRc4OM1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pqH2r5bbDpejXIF+NG/yIEJE7iGZ912wawo/gT09k/M=; b=aVkXUF22IGvocnsvNm/e9y+SdrAyPH+7dx+kwzIDYzOmsruqRIPATwikmuv5C0nCrjL8u5BtEZzDOi+NOhXJZ/SpGvQqZDq/XC8hMaFdTkrLPeoq0h3MXA9PaixQPJF3ujaC2A1hbalyyr97HXRvJl7LkTV6TSeYTOnqWlS63gRef97eHZ6VNHMepK8YnjoHVu2daiwaxNf/5buZvhGA+QC0E9UVB6bAPbnSG8BGQNr0LxZcnLjbAtd6CG+CWNPhXIGcNYMQwLBrky8jF1bBjCb2lQqlkOGJzpp8ADg+Ms2VUjAPNolVMxgCBXyzcznW/CUG5ZBZSZoaWuOLqWpYOg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pqH2r5bbDpejXIF+NG/yIEJE7iGZ912wawo/gT09k/M=; b=EPC9j4oG062+SngPThQXkv6o7dnXC+cwUzhjubgp3BB8WEPo7sKxxb+4GSJl1APCmY5rox0QguLZ50U5xp0Phje/3WYQaXAwOsIu2Z+bnbHAbjXwh1rTYZ8d6vNP2DTVN9qOfgNvgbP26Nbp/NNphpAAmzDWc1Xemb798xsZa2XskrF/yGbYu+iNQgrHYNU9KkMYewxx68i6UdqvgJ7aQDLT7mOuY9wUSvnXmEt54Rwp08ed0pRnf4XCowX2cJz9Tmfcd4/4Z8GL0aBMHAobOZuhYG3rQG8DeKeEYotDWhrC6+7f1Uyucew/iMiD3fWeJAsXRJjKwQpWlWXd9tPhgQ== Received: from SJ0PR03CA0276.namprd03.prod.outlook.com (2603:10b6:a03:39e::11) by CY5PR12MB6155.namprd12.prod.outlook.com (2603:10b6:930:25::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Sun, 7 Jun 2026 18:18:59 +0000 Received: from SJ1PEPF00002321.namprd03.prod.outlook.com (2603:10b6:a03:39e:cafe::38) by SJ0PR03CA0276.outlook.office365.com (2603:10b6:a03:39e::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:18:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SJ1PEPF00002321.mail.protection.outlook.com (10.167.242.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:18:58 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:49 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:48 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:45 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:11 +0300 Subject: [PATCH rdma-next 4/6] RDMA/core: Fix use after free in ib_query_qp() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-4-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=4123; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=6jdI7Z37D3w/it38DqkQya7GneRsgpINTJu0S9W/O4g=; b=7XOEmRe9D1j/qyV4AtwCzUBP+X5kDGDt/+DaH/0wccK4w3Puyzp+U7KDnqxYn/J1Lawou12z1 /bYjHbIvNJ1DHznr1x1/SuS46M+9qswdZ2z30BTV1wBk/n2l5qZtiZ/ X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00002321:EE_|CY5PR12MB6155:EE_ X-MS-Office365-Filtering-Correlation-Id: 2abd8947-0741-445f-8d01-08dec4c13e87 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700016|921020|6133799003|18002099003|22082099003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: 6uisKvKDDGSFTtb6zebk9ik8PfKf3fYvKUnbGnuU6KCAgDlqldNS6wHy5SDt7unMXVUMKxaPaDBO76Ai22exu6RNQ0Do8fJ5EUGT/cGA82+ljav+ya1yHbxXAQ5DL7KlqiMww3IeoLdWmV6OekGSjelDrD2nu8cHdRBRO3gydWGzxKzgc8Vq5w3GCV26/2V0HLwMXuzQD+N4HFf/4WSQZ8ylalAR0+dCENNUpx7ZTffH0HvtcStNIR3X6jcM6E27ZYiqLAI7kgco1dtTrM7VAyaI2n4uLgjcztxARYQeKl7SULkmCyGHYKK2sDo51G+HZYjTVXW/CR72m4mMb6mLmeadMDUWInPsG469E3uzI7Dw8tYX0tWb4rIyioWCgvglLfuStzn1ohzVZyOqDU6EXPiDZgsso4l16Ei0gd87c4IdRdvTpspFlEjSNCj+y/pjwAu3mmVH7dOhUcZVfTn2lvrh5iJnSIqWcMzZ1Ss7CmzCGOf9weYNDd2cdyK1uZUPkuTSh3dXdefbn7p9LAhWy7G/uLwlmhtdvL0/6N04a8cZttOAKwvFbSUN9NaSebt3dhZ8Us5UwEj2cTj9M6Fhg3HTDlSi/E1tDlQqOH9XBNuaBKmILdmmehsSL5zU4IdeqRRswi7EKg7kS+FpJsjo8Z3m4JQdcIbnDI2m1Qektp7vTPfSVejrp2HN3nRJ3Ok3A/S1tXIUJuF4J3ZWVNNX4A5FpFzq7Lg/ntoPeXPxq5LVbLQ6ebRWtSfwGcS7AWTa8OR9xkkVdhgmPr0F5A5WAg== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700016)(921020)(6133799003)(18002099003)(22082099003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BPj72nO1A5kSxTTABgP9T66f5hxY9ueSF2GxpzpMTZa+5UMeRGhTnCmNrWe9VSDdVzD+d2X5QzoZOCYWR3sf5XKcuF/kBvJdYjEdkol+pVJT5EKHPgyeLyR5n3NK9c/OANaNJ/Y5whK0MjnfiCjo2Ni0q4pv15a82VrbjIvkOqfxYGWjnkwFeSh1LVqq8kDX2oeXbzx3rVMgaS5zMhYrCIIfIxNialBOJmqL6QmNCjAM+BZIPFqdabbatSYUVxsEbLse0H59Dam+cQ83il5DfnURJ/zKaHoMSngxhuaMIzR+vAquW3nmKraJKtxpslLH0kJAO9IvjFKp3jUnnpEfIf1Iei6HRIQVqATt5rQB0qZW8eR1xsVofxG8EkJ/PXAFjyxh4F+1wLE3lMaVpk6OoAn/65KuiebQv2azwVPZi6DboBz3UZUs9RBNYDil5kA4 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:18:58.9502 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2abd8947-0741-445f-8d01-08dec4c13e87 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00002321.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6155 From: Patrisious Haddad When querying a QP via the netlink flow the only synchronization mechanism for the said QP is rdma_restrack_get(), meanwhile during the QP destroy path rdma_restrack_del() is called at the end of the ib_destroy_qp_user() function which is too late, since by then the vendor specific resources for said QP would already be destroyed, and until the rdma_restrack_del() is called this QP can still be accessed, which could cause the use after free below. Fix this by moving the rdma_restrack_begin_del() to the start of the ib_destroy_qp_user(), which in turn waits for all usages of the QP to be done then removes it from the database to prevent access to it while it is being destroyed. RIP: 0010:ib_query_qp+0x15/0x50 [ib_core] Code: 48 83 05 5d 8e b9 ff 01 eb b5 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f = 44 00 00 48 c7 46 40 00 00 00 00 48 c7 46 78 00 00 00 00 <48> 8b 07 48 8b 8= 0 88 01 00 00 48 85 c0 74 1a 48 83 05 54 91 b9 ff RSP: 0018:ff11000108a8f2f0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ff11000108a8f370 RCX: ff11000108a8f370 RDX: 0000000000000000 RSI: ff11000108a8f3d8 RDI: 0000000000000000 RBP: ff1100010de5a000 R08: 0000000000000e80 R09: 0000000000000004 R10: ff110001057a604c R11: 0000000000000000 R12: ff11000108a8f370 R13: ff110001090e8000 R14: 0000000000000000 R15: ff110001057a602c FS: 00007f2ffd8db6c0(0000) GS:ff110008dc90b000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010b9a7004 CR4: 0000000000373eb0 Call Trace: mlx5_ib_gsi_query_qp+0x21/0x50 [mlx5_ib] mlx5_ib_query_qp+0x689/0x9d0 [mlx5_ib] ib_query_qp+0x35/0x50 [ib_core] fill_res_qp_entry_query.isra.0+0x47/0x280 [ib_core] ? __wake_up+0x40/0x50 ? netlink_broadcast_filtered+0x15a/0x550 ? kobject_uevent_env+0x562/0x710 ? ep_poll_callback+0x242/0x270 ? __nla_put+0xc/0x20 ? nla_put+0x28/0x40 ? nla_put_string+0x2e/0x40 [ib_core] fill_res_qp_entry+0x138/0x190 [ib_core] res_get_common_dumpit+0x4a5/0x800 [ib_core] ? fill_res_qp_entry_query.isra.0+0x280/0x280 [ib_core] nldev_res_get_qp_dumpit+0x1e/0x30 [ib_core] netlink_dump+0x16f/0x450 __netlink_dump_start+0x1ce/0x2e0 rdma_nl_rcv_msg+0x1d3/0x330 [ib_core] ? nldev_res_get_qp_raw_dumpit+0x30/0x30 [ib_core] rdma_nl_rcv_skb.constprop.0.isra.0+0x108/0x180 [ib_core] rdma_nl_rcv+0x12/0x20 [ib_core] netlink_unicast+0x255/0x380 ? __alloc_skb+0xfa/0x1e0 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x230 ? copy_msghdr_from_user+0xea/0x170 ___sys_sendmsg+0x7c/0xb0 ? __futex_wait+0x95/0xf0 ? __futex_wake_mark+0x40/0x40 ? futex_wait+0x67/0x100 ? futex_wake+0xac/0x1b0 __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xb90 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: 514aee660df4 ("RDMA: Globally allocate and release QP memory") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index de7d19fabd75951f0c546accbbb97348e756c235..8bd39cfcf41bce3a20cfbc41be6= f51a1f7f95a8a 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2157,6 +2157,8 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (qp->real_qp !=3D qp) return __ib_destroy_shared_qp(qp); =20 + rdma_restrack_begin_del(&qp->res); + sec =3D qp->qp_sec; if (sec) ib_destroy_qp_security_begin(sec); @@ -2169,6 +2171,7 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (ret) { if (sec) ib_destroy_qp_security_abort(sec); + rdma_restrack_abort_del(&qp->res); return ret; } =20 @@ -2181,7 +2184,7 @@ int ib_destroy_qp_user(struct ib_qp *qp, struct ib_ud= ata *udata) if (sec) ib_destroy_qp_security_end(sec); =20 - rdma_restrack_del(&qp->res); + rdma_restrack_commit_del(&qp->res); kfree(qp); return ret; } --=20 2.49.0 From nobody Mon Jun 8 04:24:59 2026 Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11012030.outbound.protection.outlook.com [52.101.43.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B637315D29; Sun, 7 Jun 2026 18:19:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.43.30 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856347; cv=fail; b=lJLZ5IQbmnIG1fFpm163Gb1YTsVt4F60ZJsmFqmLlijMHJX7MRoyLLzJt9ITJL5Vg4+PC38WNvw0mFUkn1j2uzSwsQOcf1ykX7FD6PkUpd8nNzia/Y6mDbqnppUXv/ehZ5//0JzqWtSJ38apnOggRiwKdR2R0aCQDGV0+Q9v+3s= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856347; c=relaxed/simple; bh=+IiPZ0W0g3Ut3NCStxUG3Du9iuwFzGgi29mSnA0z1h4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=ZAAdUdDaipK9qMgU3uNs2Jvq/A7kAPVWE83xe/yEkhNvd8ecpntj4jSmz/2bGX4CO9YUQYGP2DEoehcGhLGJGF13tLb6jtHFwuh5JmL1Mn9pLEAVNSLk8ghUwAhh3U8r+78a9SCbgIz+QnQoZk0Ia3zh7dos6HsWs+/im7TolYU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=DIeIrju8; arc=fail smtp.client-ip=52.101.43.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="DIeIrju8" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JGriDWktSc5R4Vp7ZALtGvCKq8/jStOJv5wOczTR6tGaTEgTlCw5SHZvMG+xP0+1rglXp9wWG79oV/RIoHJ8XcNB8p8xC8sYrkRykSh7BXttLZhfk2GJD2m6SPsBnp9oIy+zikRKe+NyFH7HDwNSKsXbC7O4A2IwDCC8PZEt+JG6A6e0nHKYfhST84i/ZQpm4rG8GSUr5qvxGBFTDySgz1EDbkf88MJuMy0s89GZrSxPlPW61KXgwVCoOjZvZQaaVLXWSCG7Y+EsuP9MNN5m/DwBazSJoAifP3WXyJgI3rGAKgDecqg8Ub01YIy13oDzapz8RqqkKvOTEXActvTH2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=U3WxwlUBizT0en+p/d6f8jldQiRxvGCVNK127b+Pf5Q=; b=QExyq03WOJi17gnKqUZ0hKDmxIUcpp7/WHarro8INA0O7qf74CqCoDtSDFvWFjIn9zbrDlkSZYrA9j3huSrr6mvxthDkY18dHiu1goWEnwbuu8f6xrRy9OUL8cv1wkNHr0jxlGmh8r8qa8YAgXlbyPQO6cF5axRB6e/zd7knOo485FTOSYizuoYcZTT3lTgph4yoG28+QoOmxSrrxP3UF83K7pf0KjMjcF5dsEevRjBED25KEqqNiV/FI3KRVBPeAbJ9B0BbgbGO02L7gdh91nsMAeGIXtC4q9ej6ZwGxP7yfr85docj9hiEKPHTCyWeYUpQqLgV97IhFwKOP5zBOA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U3WxwlUBizT0en+p/d6f8jldQiRxvGCVNK127b+Pf5Q=; b=DIeIrju84Ym1oWvWOFWQUMVR8vETTZ7Wf/rCawb1iuMQFgRacpx+NnJ+uWtFc1VRIT9YZQiiwE998XYAndb5I84BugJgF4k/PbltmRSeGK9t4YqZEOQX9Cp0zDncAU/ocAVEmwAgdHnGyx+g/YlM8qlaA9LS3LBNhwAQg1YfbFG1hciq8sSwBIZ1tRGtFMTa3BJ9aG+TZXpQv2LegM12uvyXJ0lXIfBEVkGRuzCMnkchg60c89NO0R/uMX1647tMHmWP5vmRxw/dKJo3m+KQBXnl/J9goCo9u4AbCe5pSA8xoO9dH2qnNwhtNeM1STr7k259fvIdz6ANJT7Q2xcQUQ== Received: from SJ0PR03CA0276.namprd03.prod.outlook.com (2603:10b6:a03:39e::11) by BL1PR12MB5971.namprd12.prod.outlook.com (2603:10b6:208:39a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Sun, 7 Jun 2026 18:19:02 +0000 Received: from SJ1PEPF00002321.namprd03.prod.outlook.com (2603:10b6:a03:39e:cafe::68) by SJ0PR03CA0276.outlook.office365.com (2603:10b6:a03:39e::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:19:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SJ1PEPF00002321.mail.protection.outlook.com (10.167.242.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:19:01 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:53 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:52 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:49 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:12 +0300 Subject: [PATCH rdma-next 5/6] RDMA/core: Fix potential use after free in ib_destroy_cq_user() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-5-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=2096; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=Q8CAjTX07uKKljXC1OQ7XgmIrYoxgRfRP1wBjIiCAec=; b=2xJ5kuaGVF8PJtbRGyaUx2Lv2QKLYcF8P93rE1ztXI6dnIzYG99eJ3bl6h6OVAQ4+CK38dOZa svReh5jJveaAKcnetMu0BCxuv+NZDjfInfhoRPDk6jUCN4B5U2ybnqr X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00002321:EE_|BL1PR12MB5971:EE_ X-MS-Office365-Filtering-Correlation-Id: b0f330ce-1ec6-4aea-e77f-08dec4c1403e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|376014|82310400026|18002099003|22082099003|6133799003|921020|11063799006|56012099006|5023799004; X-Microsoft-Antispam-Message-Info: VLAhY//Gec5miHH2Xxg6PofWZJrFsM1wlnCReJBuAaibJyDr2NG+wLaaCgYur31Eu9CC6gdiJcZW5SlWCilKdISE0zSY4EmMvO/f9Dh94zHbHFPoD7oRGbPGbwAQyqlPGINwBy5UaKPSob1vaPyu5fmy84oQ2RH0EWucSU5nTcsiGsCVJz7j0BAYdGxLFjgPS+K032rF6JjDfrOweRKBQ0yUwm5A3tORH3keMDYlvEQclM4yy/mKmQmbED03i1nyly+sq7notprY1gtwWAbHRcow+IgVvuC4JiXm26+wiY+2AcWLF0LGnHTl0GriKgXDhrupN/eDFadUQAciEBPKebDd2HI6TKJ/ET4E/YhujhETl0kbLmKtra1/mPuWA77k/N+meDA1b1hqY00tdM6jzFfZ6sm75TZwP1OtVALUj2VViWWUzVsO0a6/0ppwrfB4uCALzuMpmwzjFz7K0LAAVvNZieb0WZAPmoS/KCX+1GvkfDFFQn46z97g8na9wU/p/VPARUzKGSZ4/WOyLVo0g5eYafdamHxy8eNLMHPtZYGgNKLCrn8S0YdSdxo74IjNiqzEvVF5wbeTXBMU1RnN2cTs9e2Rf3pAwoS3ktBkL7ArZTJ+YRO8TUJQanZjnsGB/lVGvnhqHJ/v4W+VlpDcrbULdi3IhRddhVOE37boAEjDLldiamMujkDPTqJjz8l2W1b5m8QUu894TuSegvfCDONFYUNpFlEh0xKte24Izt3Pgj1kYaRl0tSwikXIck1W82a4xtij49MGRW9q82GCzA== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(376014)(82310400026)(18002099003)(22082099003)(6133799003)(921020)(11063799006)(56012099006)(5023799004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MTov0Gf6fmaSHG8MdB0EtbL12IFecvkPUyyH41VaVNJQCaLI97W9VoCFBsKjp+4dp9nFToPn9ERSJI3WFGLw1wiIou7SJvdLbZTqmmsR5E3dFZUdugDK3so93Wl11AnRLQeEFSJebSuHfGCsK7HJ0B3ZwXwP/WH/Kmnmbi18pJ9hGd0ZyPrGUTgRxnFNeoU28DwmpPsWjKWqEW/BxZgDFV9GU9tPabq4x4trbmWJNgnsl+puKNyQCNLEU26i8AUS3Q3As9yDDp/nV611DOrIuSOwHDizG0wO14FYen7OyEH7lEiFDvlC9V9gihIz3qP4dvMuNAiWmCkkFqqsjMSJ5RRZxq7GiO/gmAwfiSzWTKhD5kvM3G6k4TX9SZ+a8gQ1UYf7FnwCWtVFqVebEA4RZkARpgcjJldoLlht69KZkt9/ITrJCphF/Yx8ltmKGp7d X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:19:01.8439 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b0f330ce-1ec6-4aea-e77f-08dec4c1403e X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00002321.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5971 From: Patrisious Haddad When accessing a CQ via the netlink path the only synchronization mechanism for the said CQ is rdma_restrack_get(). Currently, rdma_restrack_del() is invoked at the end of ib_destroy_cq_user(), which is too late, since by that point vendor-specific resources associated with the CQ might already be freed. This can leave a short window where the CQ remains accessible through restrack, leading to a potential use-after-free. Fix this by moving the rdma_restrack_begin_del() call to the start of ib_destroy_cq_user(), ensuring that the CQ is removed from restrack before its internal resources are released. This guarantees that no new users hold references to a CQ that is in the process of destruction. In addition, this change preserves the intended asymmetric behavior between create and destroy routines: resources are added to restrack at the end of successful creation, and hence shall be removed from the restrack first thing during the destruction flow, which keeps the lifecycle management consistent and predictable. Fixes: 08f294a1524b ("RDMA/core: Add resource tracking for create and destr= oy CQs") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index 8bd39cfcf41bce3a20cfbc41be6f51a1f7f95a8a..bca0e48f6805e87554e77139ce6= 812d6b7236802 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2250,11 +2250,15 @@ int ib_destroy_cq_user(struct ib_cq *cq, struct ib_= udata *udata) if (atomic_read(&cq->usecnt)) return -EBUSY; =20 + rdma_restrack_begin_del(&cq->res); + ret =3D cq->device->ops.destroy_cq(cq, udata); - if (ret) + if (ret) { + rdma_restrack_abort_del(&cq->res); return ret; + } =20 - rdma_restrack_del(&cq->res); + rdma_restrack_commit_del(&cq->res); kfree(cq); return ret; } --=20 2.49.0 From nobody Mon Jun 8 04:24:59 2026 Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11010052.outbound.protection.outlook.com [52.101.56.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D04E29B78F; Sun, 7 Jun 2026 18:19:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.56.52 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856354; cv=fail; b=NlOL1Uzu6XlAYi2w21Qc/RQQM8XUmYIrNLLVd1ige7A20k5cdGUY7vEshrYkWWehn9/tWLKR8aPYnZ5uVC3j6mUZVGQjJz5nqmfRJRUYOJIy4NY2HkuZ099wQ3yvvROms3tw75WdS8EOCeYxjU8Z9JJJzfqt8Ddyd7rWddxeguA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780856354; c=relaxed/simple; bh=S/cEIJz/WUn8c8jEjFomlpCgTMz8Vhlds0Jx+rfl+38=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=WyuTwYJD8U64hTOfEeMnuqpqBv2xE/53RILT3kSfrpHe8a6vRcOFy/69wa50oo2Ttt1oi7I1jpMK2EXlvdl/GJhIAPxpJnrsKLpb4DblV+t1xGE7JJ8kZGcH58S8uwtzj+DXOGJAeSmUFeK+L6ZsrRc0kPneYdVMP0DXkzw+/Nc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=D6xe9Y75; arc=fail smtp.client-ip=52.101.56.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="D6xe9Y75" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BThvtBIKym35VJd2rH2yH2FhQbcMgJKUzir+YKynf3putJLS1L3RfD9mfVneQlMj73FarwsBE5eTLY551MRVUFYmDN3MoweHraAsriWx4M7Xt3ZpdNp5BDK1He1EXv11eHvODSiXi8A+Fa9aLREWJaJS5WFYpZxFlU70SWffBoevTExft3rhwn/mIXkK367Sx8Q/fiYZwmG2ezpmk3q6dB29BRrFcPRZTPo/ZWgYWN6AJFIAnaLLuc917oLI+CeKKsSWHznHcLfUG5FM7EF6HV/0miuRrjIz6O0iiWqeRyovP6zjiaAHQD4lBTB9rslAaPWnHLFf5GU5rYsOYBy4+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l+6NdJftjKxCPsTKiD2+i1ZkeyYONJGFKlcApIh+EaY=; b=r3/YfJAaOxnM58mUATwzKLFwUHiCa0qh3GrpkQKa21Pn84P2456ORERRoSOoTBFPMN+4UKZFeK1m47i11AtBPTCFUz4TK278YHvBwF2ZCBCpQEs/43CQGSL8NFKLvHfkq3ZfqijA5peEHtRNbvCJ2DTUuy1+eieWkAVLh0SfJdkDirlD2Kc9IoSM6LtwNDMmJxX9pk7IJ6JPn1O6tQnyyKVL1thItpiF47a5FAs98ocwLNt9lP+G/0/3LXRxXgvqP9L0rSvkV8Efd2JRHsFESbXQRs05ivTf90z8BMvmtPY+N3KVCJwP12czxSI3nl3QlAJZv+8c8IEd245Tz4JgTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l+6NdJftjKxCPsTKiD2+i1ZkeyYONJGFKlcApIh+EaY=; b=D6xe9Y75TPNwRLnNo3GJYtJU2cCVB+WCDZSi17YJn2bsidMzuMLMiBnGV3OdbE5JzBA3VaNqWcg3ycUyHub/7UtJDF1HbWgGZJsyKdjYheWIkdjii2oW+LjJuYOg4PoZQBhpB5VA5tYd/5it9y6LpcASePzjBH0ve9G++EhyGKrSiv8HYdFyrDnvTrqrT1ZpMo7ct3JNmrlNZ5QhJm+DWBU9S1kCR6QlTBZN7EqDjBxrrs024bORGoQEnZ3Sh9j2LxvdRK8/g+4MOBzQqReM9s8kdoZ32oZeVe295z5P6Rdj0Z/USQuzq6yuNgDptGNBJgkf9bd9KNonlICLB/nejQ== Received: from BY3PR10CA0016.namprd10.prod.outlook.com (2603:10b6:a03:255::21) by DM4PR12MB5913.namprd12.prod.outlook.com (2603:10b6:8:66::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.12; Sun, 7 Jun 2026 18:19:07 +0000 Received: from CO1PEPF00012E7D.namprd03.prod.outlook.com (2603:10b6:a03:255:cafe::9f) by BY3PR10CA0016.outlook.office365.com (2603:10b6:a03:255::21) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.12 via Frontend Transport; Sun, 7 Jun 2026 18:19:07 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CO1PEPF00012E7D.mail.protection.outlook.com (10.167.249.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.7 via Frontend Transport; Sun, 7 Jun 2026 18:19:07 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:57 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Sun, 7 Jun 2026 11:18:57 -0700 Received: from [10.135.59.1] (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Sun, 7 Jun 2026 11:18:53 -0700 From: Edward Srouji Date: Sun, 7 Jun 2026 21:18:13 +0300 Subject: [PATCH rdma-next 6/6] RDMA/core: Fix potential use after free in ib_destroy_srq_user() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260607-restrack-uaf-fix-v1-6-d72e45eb76c2@nvidia.com> References: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> In-Reply-To: <20260607-restrack-uaf-fix-v1-0-d72e45eb76c2@nvidia.com> To: Leon Romanovsky , Jason Gunthorpe , "Chiara Meiohas" , Maor Gottlieb , "Dennis Dalessandro" , Gal Pressman , Steve Wise , Mark Bloch , Mark Zhang , Neta Ostrovsky CC: , , "Edward Srouji" , Patrisious Haddad , "Michael Guralnik" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1780856308; l=2325; i=edwards@nvidia.com; s=20251029; h=from:subject:message-id; bh=aEOI4/Cq6/Q+2ujAqIn8sk34P+AW64UV0QSSph1IrYo=; b=UDmRt2gdMaFTbtntDUN2DY/WOZGtmZ5sZGDkc2CRYmojS7Pr7wOdQ75mbiiCxwEkoTHtpeVvX ktHBvSdiWOoBgVr58wWc1ki7FQqMpZThL/Ou2jWupc4Zpn76+TjPLoc X-Developer-Key: i=edwards@nvidia.com; a=ed25519; pk=VME+d2WbMZT5AY+AolKh2XIdrnXWUwwzz/XLQ3jXgDM= X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF00012E7D:EE_|DM4PR12MB5913:EE_ X-MS-Office365-Filtering-Correlation-Id: d753e420-1786-44bc-9845-08dec4c14377 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700016|6133799003|22082099003|18002099003|921020|56012099006|11063799006|5023799004; X-Microsoft-Antispam-Message-Info: T3lOdtRv1GxNZS4O4OWM9ZHUzOCgOJ+2Oc+ipFXV5Ev+5hCnO8HCepuP2GSlI7VKXqJzw41QFuMJFw1hEklK5PmHBX4fDyCLokE3tDXIsNxd6yIqvOU2Jh/CFw8VW/Qvh1NdeMyzqX9gHHsTSSMWCMzk8MCrKv6g6LtekTO0kFl47Fj5PWCk/KbPw9uVbQNETaJXxotqzsPvDETF02IQ/yIaYxKRzzeCa4Sg9R3oR94Lnz5o27zVJZoFhQgyxrMAqSV9xNnPaadaTnyYkaclveDV2tACyKIwu+iim+0hc3bu8WR1SW6QSeZ0Ez/3ZvorpGOQWDHLa6X1wsPJmLIUg7Acuk/yGVr8ckctVupZ0TXNtgOScIUIJGi/p5bOMVSTAOICq8zp+9SCv2PY0q0HQsNiCaUnW+mVM7qmJMh3BoHTjfaxTrCkFWFbXx1YIHJpPI5ER2lg2zqP8iujihK9lfso9kwV3rt1Ed3K5IaJqPnrJvWq9pECnaz29Xs1pQwfVA3wVyjNNyNJrJAXx3LlbdZOUbFlbXDoH52EzguJvIBx0apcSzTSagWQ+6FWvDEqIAFD/ZsBa37A82CKRn/qlfszQ/siQvr45h/NyClZvsxfqBu2nLJlj589vahFIEAtrV6Gfo/3r688+UuH9rIg8NpsLHaW6nm7BcH7oPhyMJUQBYf5xqMqsoRerqZ7UCw5Q0OZdNrYpseGk2mM+/FcCdt6nDcawef3SF4ijsbdWNfDi+URCpGHvgBnxSpkoBomMMLMBrdLGWTXncizgaoW2A== X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700016)(6133799003)(22082099003)(18002099003)(921020)(56012099006)(11063799006)(5023799004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Xz48dMZtR+SchiTXSSZ48TdY60IP2bGqAsKIdTRsbEd54ye5cyLGmxVFH4ohDDBAL/mwG9/9AylchKnY9Pv4w9pP0qlgxXif9mi6Od8wxYCxCQ9JEmjqdOziPotIACx/z8Vzrlka8aowcOb6NzW1hIzrD/gAEL3lSv6QY8GmNPqGXO591bC00PxzbX3OHCspp0fsYlp63y6aofc0P93N1d/8053Cpyz9woOyaKa2MBGkNdvKFJJiSj+BF6KW7Mn5ULlKPeQDY5NVZm+w95ouYwE5eyVf3c5RlHiIrKwfJQpWZXMdRb2KkM3GJZo5IwtCdK35dDyO3JNmtbtLRux0HO83ZdSACsAKIrTYZIMaWMNtMXcp+vJ/+mldTihFwN+EyCiEPeSGb91XMZw/lNzZpn/r15bPKTcCV/SXGyO4o4I1QKbp88VqkQlzy8a5kAZa X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2026 18:19:07.1842 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d753e420-1786-44bc-9845-08dec4c14377 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF00012E7D.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5913 From: Patrisious Haddad When accessing a SRQ via the netlink path the only synchronization mechanism for the said SRQ is rdma_restrack_get(). Currently, rdma_restrack_del() is invoked at the end of ib_destroy_srq_user(), which is too late, since by that point vendor-specific resources associated with the SRQ might already be freed. This can leave a short window where the SRQ remains accessible through restrack, leading to a potential use-after-free. Fix this by moving the rdma_restrack_begin_del() call to the start of ib_destroy_srq_user(), ensuring that the SRQ is removed from restrack before its internal resources are released. This guarantees that no new users hold references to a SRQ that is in the process of destruction. In addition, this change preserves the intended asymmetric behavior between create and destroy routines: resources are added to restrack at the end of successful creation, and hence shall be removed from the restrack first thing during the destruction flow, which keeps the lifecycle management consistent and predictable. Fixes: 48f8a70e899f ("RDMA/restrack: Add support to get resource tracking f= or SRQ") Signed-off-by: Patrisious Haddad Reviewed-by: Michael Guralnik Signed-off-by: Edward Srouji --- drivers/infiniband/core/verbs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verb= s.c index bca0e48f6805e87554e77139ce6812d6b7236802..12b79ed046ee81ba2e7b199f39a= a40c7bda9d892 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -1139,16 +1139,20 @@ int ib_destroy_srq_user(struct ib_srq *srq, struct = ib_udata *udata) if (atomic_read(&srq->usecnt)) return -EBUSY; =20 + rdma_restrack_begin_del(&srq->res); + ret =3D srq->device->ops.destroy_srq(srq, udata); - if (ret) + if (ret) { + rdma_restrack_abort_del(&srq->res); return ret; + } =20 atomic_dec(&srq->pd->usecnt); if (srq->srq_type =3D=3D IB_SRQT_XRC && srq->ext.xrc.xrcd) atomic_dec(&srq->ext.xrc.xrcd->usecnt); if (ib_srq_has_cq(srq->srq_type)) atomic_dec(&srq->ext.cq->usecnt); - rdma_restrack_del(&srq->res); + rdma_restrack_commit_del(&srq->res); kfree(srq); =20 return ret; --=20 2.49.0