ACK: [SRU][F][PATCH 0/1] CVE-2021-47212

Thibault Ferrante thibault.ferrante at canonical.com
Tue Sep 17 13:33:51 UTC 2024 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>


On 17-09-2024 06:55, Koichiro Den wrote:
> [Impact]
> 
> net/mlx5: Update error handler for UCTX and UMEM
> 
> In the fast unload flow, the device state is set to internal error,
> which indicates that the driver started the destroy process.
> In this case, when a destroy command is being executed, it should return
> MLX5_CMD_STAT_OK.
> Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK
> instead of EIO.
> 
> This fixes a call trace in the umem release process -
> [ 2633.536695] Call Trace:
> [ 2633.537518]  ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]
> [ 2633.538596]  remove_client_context+0x8b/0xd0 [ib_core]
> [ 2633.539641]  disable_device+0x8c/0x130 [ib_core]
> [ 2633.540615]  __ib_unregister_device+0x35/0xa0 [ib_core]
> [ 2633.541640]  ib_unregister_device+0x21/0x30 [ib_core]
> [ 2633.542663]  __mlx5_ib_remove+0x38/0x90 [mlx5_ib]
> [ 2633.543640]  auxiliary_bus_remove+0x1e/0x30 [auxiliary]
> [ 2633.544661]  device_release_driver_internal+0x103/0x1f0
> [ 2633.545679]  bus_remove_device+0xf7/0x170
> [ 2633.546640]  device_del+0x181/0x410
> [ 2633.547606]  mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]
> [ 2633.548777]  mlx5_unregister_device+0x27/0x40 [mlx5_core]
> [ 2633.549841]  mlx5_uninit_one+0x21/0xc0 [mlx5_core]
> [ 2633.550864]  remove_one+0x69/0xe0 [mlx5_core]
> [ 2633.551819]  pci_device_remove+0x3b/0xc0
> [ 2633.552731]  device_release_driver_internal+0x103/0x1f0
> [ 2633.553746]  unbind_store+0xf6/0x130
> [ 2633.554657]  kernfs_fop_write+0x116/0x190
> [ 2633.555567]  vfs_write+0xa5/0x1a0
> [ 2633.556407]  ksys_write+0x4f/0xb0
> [ 2633.557233]  do_syscall_64+0x5b/0x1a0
> [ 2633.558071]  entry_SYSCALL_64_after_hwframe+0x65/0xca
> [ 2633.559018] RIP: 0033:0x7f9977132648
> [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
> [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648
> [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001
> [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740
> [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0
> [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c
> [ 2633.568725] ---[ end trace 10b4fe52945e544d ]---
> 
> [Backport]
> 
> Adjusted context due to missing commit 8f0105418668
> ("net/mlx5: SF, Add port add delete functionality").
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  fixed via stable
> Focal:  Backport - adjusted contexts due to missing commits, see [Backport]
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
> 
> [Test case]
> 
> Compile and boot tested.
> 
> [Where problem could occur]
> 
> This fix affects those who use mlx5_ib driver and created UMEM and UCTX
> in some form, an issue with this fix could potentially be visible to the
> user via memory leak, which may not be an issue for fast unload case.
> Note for Ubuntu Focal, the incorrect return value for
> MLX5_CMD_OP_DESTROY_UMEM could not even lead to needless WARN message
> with the backtrace shown in the original fix commit message.
> Additionally, it's unclear that how this could be exploited for security
> attacks. Still, the bug fix itself is not worthless.
> 
> 
> Neta Ostrovsky (1):
>    net/mlx5: Update error handler for UCTX and UMEM
> 
>   drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 


-- 
--
Thibault

More information about the kernel-team mailing list