Re: [PATCH] RDMA/hns: Fix UAF for cq async event

From: Jason Gunthorpe
Date: Fri Sep 20 2024 - 08:58:05 EST

Next message: Shuah Khan: "Re: [PATCH 1/1] mm/mempolicy: fix comments for better documentation"
Previous message: Mihail Atanassov: "Re: [PATCH v2 RESEND 1/5] drm: panthor: expose some fw information through the query ioctl"
In reply to: haixiao . yan . cn: "[PATCH] RDMA/hns: Fix UAF for cq async event"
Next in thread: Yan, Haixiao (CN): "Re: [PATCH] RDMA/hns: Fix UAF for cq async event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 20, 2024 at 08:45:40PM +0800, haixiao.yan.cn@xxxxxxxxxxxxx wrote:
> From: Chengchang Tang <tangchengchang@xxxxxxxxxx>
>
> [ Upstream commit a942ec2745ca864cd8512142100e4027dc306a42 ]
>
> The refcount of CQ is not protected by locks. When CQ asynchronous
> events and CQ destruction are concurrent, CQ may have been released,
> which will cause UAF.
>
> Use the xa_lock() to protect the CQ refcount.
>
> Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
> Signed-off-by: Chengchang Tang <tangchengchang@xxxxxxxxxx>
> Signed-off-by: Junxian Huang <huangjunxian6@xxxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@xxxxxxxxxxxxx
> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
> Signed-off-by: Haixiao Yan <haixiao.yan.cn@xxxxxxxxxxxxx>
> ---
> This commit is backporting a942ec2745ca to the branch linux-5.15.y to
> solve the CVE-2024-38545. Please merge this commit to linux-5.15.y.

Don't you need to send this to the stable maintainers too?

Jason

Next message: Shuah Khan: "Re: [PATCH 1/1] mm/mempolicy: fix comments for better documentation"
Previous message: Mihail Atanassov: "Re: [PATCH v2 RESEND 1/5] drm: panthor: expose some fw information through the query ioctl"
In reply to: haixiao . yan . cn: "[PATCH] RDMA/hns: Fix UAF for cq async event"
Next in thread: Yan, Haixiao (CN): "Re: [PATCH] RDMA/hns: Fix UAF for cq async event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]