ACK/Cmnt: [SRU Jammy 0/9] CVE-2023-25775
Cengiz Can
cengiz.can at canonical.com
Tue Oct 31 02:52:20 UTC 2023
On 30/10/2023 11:57, Stefan Bader wrote:
> On 28.10.23 05:47, Cengiz Can wrote:
>> [Impact]
>> Improper access control in the Intel(R) Ethernet Controller RDMA
>> driver for
>> linux before version 1.9.30 may allow an unauthenticated user to
>> potentially
>> enable escalation of privilege via network access.
>>
>> [Fix]
>> 8 clean cherry picks and 1 simple context adjusted backport.
>>
>> commit 2c4b14ea9507 ("RDMA/irdma: Remove enum irdma_status_code") was
>> required
>> for a clean cherry pick of the fix commit but since we already had a
>> stable
>> backport of commit 6f6dbb819dfc ("RDMA/irdma: Prevent some integer
>> underflows")
>> in the tree, there was a context conflict.
>>
>> [Test case]
>> Since it requires a 100Gbit NIC, compile and boot tested only.
>>
>> [Potential regression]
>> Medium regression potential. Due to newly introduced older patches.
>>
>> Christopher Bednarz (1):
>> RDMA/irdma: Prevent zero-length STAG registration
>>
>> Shiraz Saleem (2):
>> RDMA/irdma: Remove enum irdma_status_code
>> RDMA/irdma: Remove excess error variables
>>
>> Zhu Yanjun (6):
>> RDMA/irdma: Remove irdma_uk_mw_bind()
>> RDMA/irdma: Remove irdma_sc_send_lsmm_nostag()
>> RDMA/irdma: Remove irdma_cqp_up_map_cmd()
>> RDMA/irdma: Remove irdma_get_hw_addr()
>> RDMA/irdma: Make irdma_uk_cq_init() return a void
>> RDMA/irdma: optimize rx path by removing unnecessary copy
>>
>> drivers/infiniband/hw/irdma/cm.c | 44 +-
>> drivers/infiniband/hw/irdma/ctrl.c | 602 +++++++++++--------------
>> drivers/infiniband/hw/irdma/defs.h | 8 +-
>> drivers/infiniband/hw/irdma/hmc.c | 105 ++---
>> drivers/infiniband/hw/irdma/hmc.h | 53 +--
>> drivers/infiniband/hw/irdma/hw.c | 190 ++++----
>> drivers/infiniband/hw/irdma/i40iw_hw.c | 1 -
>> drivers/infiniband/hw/irdma/main.c | 6 +-
>> drivers/infiniband/hw/irdma/main.h | 42 +-
>> drivers/infiniband/hw/irdma/osdep.h | 41 +-
>> drivers/infiniband/hw/irdma/pble.c | 77 ++--
>> drivers/infiniband/hw/irdma/pble.h | 25 +-
>> drivers/infiniband/hw/irdma/protos.h | 92 ++--
>> drivers/infiniband/hw/irdma/puda.c | 132 +++---
>> drivers/infiniband/hw/irdma/puda.h | 43 +-
>> drivers/infiniband/hw/irdma/status.h | 71 ---
>> drivers/infiniband/hw/irdma/type.h | 113 +++--
>> drivers/infiniband/hw/irdma/uda.c | 35 +-
>> drivers/infiniband/hw/irdma/uda.h | 46 +-
>> drivers/infiniband/hw/irdma/uk.c | 223 ++++-----
>> drivers/infiniband/hw/irdma/user.h | 91 ++--
>> drivers/infiniband/hw/irdma/utils.c | 244 ++++------
>> drivers/infiniband/hw/irdma/verbs.c | 176 +++-----
>> drivers/infiniband/hw/irdma/ws.c | 19 +-
>> drivers/infiniband/hw/irdma/ws.h | 2 +-
>> 25 files changed, 1011 insertions(+), 1470 deletions(-)
>> delete mode 100644 drivers/infiniband/hw/irdma/status.h
>>
>
> The most scary change is #7 which "should" only be reorganization but
> is impossible to review in short time. On the positive side you only
> had to address context. So hoping there.
You're right. The change itself is scary enough.
I'm pretty sure that I only modified these lines:
$ diff -U1 -I "^@@.*" -I '^index.*' <(git show HEAD~2) <(git show
2c4b14ea9507106c0599349fbb8efdeb3b7aa840)
--- /dev/fd/63 2023-10-31 05:49:34.883974110 +0300
+++ /dev/fd/62 2023-10-31 05:49:34.883974110 +0300
@@ -1,2 +1,2 @@
-commit c2d39b425ddbcffd2406e89fda10b7f6592ccce8
+commit 2c4b14ea9507106c0599349fbb8efdeb3b7aa840
Author: Shiraz Saleem <shiraz.saleem at intel.com>
@@ -13,8 +13,2 @@
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
- (backported fromm commit 2c4b14ea9507106c0599349fbb8efdeb3b7aa840)
- CVE-2023-25775
- [cengizcan: prerequisite commit]
- [cengizcan: adjust context of changes that happen on
irdma_sc_qp_create,
- irdma_sc_cq_create, irdma_sc_ceq_init and irdma_sc_ccq_init in ctrl.c]
- Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
@@ -162,8 +156,8 @@
diff --git a/drivers/infiniband/hw/irdma/ctrl.c
b/drivers/infiniband/hw/irdma/ctrl.c
-index 0e858294c139..715911efbd56 100644
+index 94a9c26ac83f..01cf75e9fd48 100644
--- a/drivers/infiniband/hw/irdma/ctrl.c
+++ b/drivers/infiniband/hw/irdma/ctrl.c
-@@ -1,7 +1,6 @@
- // SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB
- /* Copyright (c) 2015 - 2021 Intel Corporation */
+@@ -3,7 +3,6 @@
+ #include <linux/etherdevice.h>
+
#include "osdep.h"
@@ -297,6 +291,6 @@
__le64 *wqe;
-@@ -432,11 +427,11 @@ enum irdma_status_code irdma_sc_qp_create(struct
irdma_sc_qp *qp, struct irdma_c
+@@ -460,11 +455,11 @@ enum irdma_status_code irdma_sc_qp_create(struct
irdma_sc_qp *qp, struct irdma_c
cqp = qp->dev->cqp;
if (qp->qp_uk.qp_id < cqp->dev->hw_attrs.min_hw_qp_id ||
- qp->qp_uk.qp_id >=
(cqp->dev->hmc_info->hmc_obj[IRDMA_HMC_IW_QP].max_cnt))
+ qp->qp_uk.qp_id >
(cqp->dev->hmc_info->hmc_obj[IRDMA_HMC_IW_QP].max_cnt - 1))
- return IRDMA_ERR_INVALID_QP_ID;
@@ -850,3 +844,3 @@
cqp = cq->dev->cqp;
- if (cq->cq_uk.cq_id >=
(cqp->dev->hmc_info->hmc_obj[IRDMA_HMC_IW_CQ].max_cnt))
+ if (cq->cq_uk.cq_id >
(cqp->dev->hmc_info->hmc_obj[IRDMA_HMC_IW_CQ].max_cnt - 1))
- return IRDMA_ERR_INVALID_CQ_ID;
@@ -854,3 +848,3 @@
- if (cq->ceq_id >= (cq->dev->hmc_fpm_misc.max_ceqs))
+ if (cq->ceq_id > (cq->dev->hmc_fpm_misc.max_ceqs - 1))
- return IRDMA_ERR_INVALID_CEQ_ID;
@@ -1132,5 +1126,5 @@
- /* Ensure CEQE contents are read after valid bit is checked */
- dma_rmb();
-@@ -3402,25 +3375,25 @@ enum irdma_status_code
irdma_sc_ccq_get_cqe_info(struct irdma_sc_cq *ccq,
+ get_64bit_val(cqe, 8, &qp_ctx);
+ cqp = (struct irdma_sc_cqp *)(unsigned long)qp_ctx;
+@@ -3416,25 +3389,25 @@ enum irdma_status_code
irdma_sc_ccq_get_cqe_info(struct irdma_sc_cq *ccq,
* @op_code: cqp opcode for completion
@@ -1275,3 +1269,3 @@
- if (info->ceq_id >= (info->dev->hmc_fpm_misc.max_ceqs))
+ if (info->ceq_id > (info->dev->hmc_fpm_misc.max_ceqs - 1))
- return IRDMA_ERR_INVALID_CEQ_ID;
@@ -1438,5 +1432,5 @@
- /* Ensure AEQE contents are read after valid bit is checked */
- dma_rmb();
-@@ -4162,22 +4130,21 @@ void irdma_sc_repost_aeq_entries(struct
irdma_sc_dev *dev, u32 count)
+ print_hex_dump_debug("WQE: AEQ_ENTRY WQE", DUMP_PREFIX_OFFSET, 16, 8,
+ aeqe, 16, false);
+@@ -4172,22 +4140,21 @@ void irdma_sc_repost_aeq_entries(struct
irdma_sc_dev *dev, u32 count)
* @cq: sc's cq ctruct
@@ -1455,3 +1449,3 @@
- if (info->ceq_id >= (info->dev->hmc_fpm_misc.max_ceqs ))
+ if (info->ceq_id > (info->dev->hmc_fpm_misc.max_ceqs - 1))
- return IRDMA_ERR_INVALID_CEQ_ID;
@@ -2465,4 +2459,4 @@
-@@ -1111,7 +1107,7 @@ irdma_cfg_ceq_vector(struct irdma_pci_f *rf,
struct irdma_ceq *iwceq,
- irq_set_affinity_hint(msix_vec->irq, &msix_vec->mask);
+@@ -1103,7 +1099,7 @@ irdma_cfg_ceq_vector(struct irdma_pci_f *rf,
struct irdma_ceq *iwceq,
+ irq_update_affinity_hint(msix_vec->irq, &msix_vec->mask);
if (status) {
@@ -3517,5 +3511,5 @@
- /* Ensure CQE contents are read after valid bit is checked */
- dma_rmb();
-@@ -249,7 +247,7 @@ irdma_puda_poll_info(struct irdma_sc_cq *cq, struct
irdma_puda_cmpl_info *info)
+ if (cq->dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2)
+ ext_valid = (bool)FIELD_GET(IRDMA_CQ_EXTCQE, qword3);
+@@ -246,7 +244,7 @@ irdma_puda_poll_info(struct irdma_sc_cq *cq, struct
irdma_puda_cmpl_info *info)
if (!peek_head)
@@ -3526,5 +3520,5 @@
- /* Ensure ext CQE contents are read after ext valid bit is
checked */
- dma_rmb();
-@@ -273,7 +271,7 @@ irdma_puda_poll_info(struct irdma_sc_cq *cq, struct
irdma_puda_cmpl_info *info)
+ IRDMA_RING_MOVE_HEAD_NOCHECK(cq_uk->cq_ring);
+ if (!IRDMA_RING_CURRENT_HEAD(cq_uk->cq_ring))
+@@ -267,7 +265,7 @@ irdma_puda_poll_info(struct irdma_sc_cq *cq, struct
irdma_puda_cmpl_info *info)
major_err = (u32)(FIELD_GET(IRDMA_CQ_MAJERR, qword3));
@@ -4232,8 +4226,8 @@
diff --git a/drivers/infiniband/hw/irdma/uda.c
b/drivers/infiniband/hw/irdma/uda.c
-index f5b1b6150cdc..027eaacbe256 100644
+index 7a9988ddbd01..5692093c327d 100644
--- a/drivers/infiniband/hw/irdma/uda.c
+++ b/drivers/infiniband/hw/irdma/uda.c
-@@ -1,7 +1,6 @@
- // SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB
- /* Copyright (c) 2016 - 2021 Intel Corporation */
+@@ -3,7 +3,6 @@
+ #include <linux/etherdevice.h>
+
#include "osdep.h"
@@ -4692,4 +4686,4 @@
u8 polarity;
- u8 op_type;
-@@ -1026,7 +1020,7 @@ irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
struct irdma_cq_poll_info *info)
+ bool ext_valid;
+@@ -1022,7 +1016,7 @@ irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
struct irdma_cq_poll_info *info)
get_64bit_val(cqe, 24, &qword3);
@@ -4966,3 +4960,3 @@
- cqp_timeout.compl_cqp_cmds =
atomic64_read(&rf->sc_dev.cqp->completed_ops);
+ cqp_timeout.compl_cqp_cmds =
rf->sc_dev.cqp_cmd_stats[IRDMA_OP_CMPL_CMDS];
do {
@@ -5703,4 +5697,4 @@
int err = 0;
-
-@@ -3269,7 +3269,7 @@ static int irdma_post_recv(struct ib_qp *ibqp,
+ bool reflush = false;
+@@ -3293,7 +3293,7 @@ static int irdma_post_recv(struct ib_qp *ibqp,
if (ret) {
(It's super hard to read '^\ \-' lines, they are basically:
- return IRDMA_ERR_INVALID_QP_ID;
- return IRDMA_ERR_INVALID_CQ_ID;
- return IRDMA_ERR_INVALID_CEQ_ID;
- return IRDMA_ERR_INVALID_CEQ_ID;
- return IRDMA_ERR_INVALID_CEQ_ID;
Thanks for your time!
>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
More information about the kernel-team
mailing list