cve/rejected/2021/CVE-2021-47615.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47615: RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

 For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though
 it is a user MR. This causes function mlx5_free_priv_descs() to think that
 it is a kernel MR, leading to wrongly accessing mr->descs that will get
 wrong values in the union which leads to attempt to release resources that
 were not allocated in the first place.

 For example:
  DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]
  WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0
  RIP: 0010:check_unmap+0x54f/0x8b0
  Call Trace:
   debug_dma_unmap_page+0x57/0x60
   mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]
   mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]
   ib_dereg_mr_user+0x60/0x140 [ib_core]
   uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]
   uobj_destroy+0x3f/0x80 [ib_uverbs]
   ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]
   ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]
   ? lock_acquire+0xc4/0x2e0
   ? lock_acquired+0x12/0x380
   ? lock_acquire+0xc4/0x2e0
   ? lock_acquire+0xc4/0x2e0
   ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
   ? lock_release+0x28a/0x400
   ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]
   ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
   __x64_sys_ioctl+0x7f/0xb0
   do_syscall_64+0x38/0x90

 Fix it by reorganizing the dereg flow and mlx5_ib_mr structure:
  - Move the ib_umem field into the user MRs structure in the union as it's
    applicable only there.
  - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only
    in case there isn't udata, which indicates that this isn't a user MR.

 The Linux kernel CVE team has assigned CVE-2021-47615 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.15.10 with commit e3bc4d4b50cae7db08e50dbe43f771c906e97701
 	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.15.14 with commit c44979ace49b4aede3cc7cb5542316e53a4005c9
 	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.16 with commit f0ae4afe3d35e67db042c58a52909e06262b740f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47615
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/mlx5/mlx5_ib.h
 	drivers/infiniband/hw/mlx5/mr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701
 	https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9
 	https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47615: RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

	For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though
	it is a user MR. This causes function mlx5_free_priv_descs() to think that
	it is a kernel MR, leading to wrongly accessing mr->descs that will get
	wrong values in the union which leads to attempt to release resources that
	were not allocated in the first place.

	For example:
	DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]
	WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0
	RIP: 0010:check_unmap+0x54f/0x8b0
	Call Trace:
	debug_dma_unmap_page+0x57/0x60
	mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]
	mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]
	ib_dereg_mr_user+0x60/0x140 [ib_core]
	uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]
	uobj_destroy+0x3f/0x80 [ib_uverbs]
	ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]
	? uverbs_finalize_object+0x50/0x50 [ib_uverbs]
	? lock_acquire+0xc4/0x2e0
	? lock_acquired+0x12/0x380
	? lock_acquire+0xc4/0x2e0
	? lock_acquire+0xc4/0x2e0
	? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
	? lock_release+0x28a/0x400
	ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]
	? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
	__x64_sys_ioctl+0x7f/0xb0
	do_syscall_64+0x38/0x90

	Fix it by reorganizing the dereg flow and mlx5_ib_mr structure:
	- Move the ib_umem field into the user MRs structure in the union as it's
	applicable only there.
	- Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only
	in case there isn't udata, which indicates that this isn't a user MR.

	The Linux kernel CVE team has assigned CVE-2021-47615 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.15.10 with commit e3bc4d4b50cae7db08e50dbe43f771c906e97701
	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.15.14 with commit c44979ace49b4aede3cc7cb5542316e53a4005c9
	Issue introduced in 5.13 with commit f18ec422311767738ef4033b61e91cae07163b22 and fixed in 5.16 with commit f0ae4afe3d35e67db042c58a52909e06262b740f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47615
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/mlx5/mlx5_ib.h
	drivers/infiniband/hw/mlx5/mr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701
	https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9
	https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f