CVE-2022-50726

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Fix possible use-after-free in async command interface<br /> <br /> mlx5_cmd_cleanup_async_ctx should return only after all its callback<br /> handlers were completed. Before this patch, the below race between<br /> mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and<br /> lead to a use-after-free:<br /> <br /> 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.<br /> elevated by 1, a single inflight callback).<br /> 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.<br /> 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and<br /> is about to call wake_up().<br /> 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns<br /> immediately as the condition (num_inflight == 0) holds.<br /> 5. mlx5_cmd_cleanup_async_ctx returns.<br /> 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx<br /> object.<br /> 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed<br /> object.<br /> <br /> Fix it by syncing using a completion object. Mark it completed when<br /> num_inflight reaches 0.<br /> <br /> Trace:<br /> <br /> BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270<br /> Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0<br /> <br /> CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x57/0x7d<br /> print_report.cold+0x2d5/0x684<br /> ? do_raw_spin_lock+0x23d/0x270<br /> kasan_report+0xb1/0x1a0<br /> ? do_raw_spin_lock+0x23d/0x270<br /> do_raw_spin_lock+0x23d/0x270<br /> ? rwlock_bug.part.0+0x90/0x90<br /> ? __delete_object+0xb8/0x100<br /> ? lock_downgrade+0x6e0/0x6e0<br /> _raw_spin_lock_irqsave+0x43/0x60<br /> ? __wake_up_common_lock+0xb9/0x140<br /> __wake_up_common_lock+0xb9/0x140<br /> ? __wake_up_common+0x650/0x650<br /> ? destroy_tis_callback+0x53/0x70 [mlx5_core]<br /> ? kasan_set_track+0x21/0x30<br /> ? destroy_tis_callback+0x53/0x70 [mlx5_core]<br /> ? kfree+0x1ba/0x520<br /> ? do_raw_spin_unlock+0x54/0x220<br /> mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]<br /> ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]<br /> ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]<br /> mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]<br /> ? dump_command+0xcc0/0xcc0 [mlx5_core]<br /> ? lockdep_hardirqs_on_prepare+0x400/0x400<br /> ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]<br /> cmd_comp_notifier+0x7e/0xb0 [mlx5_core]<br /> atomic_notifier_call_chain+0xd7/0x1d0<br /> mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]<br /> atomic_notifier_call_chain+0xd7/0x1d0<br /> ? irq_release+0x140/0x140 [mlx5_core]<br /> irq_int_handler+0x19/0x30 [mlx5_core]<br /> __handle_irq_event_percpu+0x1f2/0x620<br /> handle_irq_event+0xb2/0x1d0<br /> handle_edge_irq+0x21e/0xb00<br /> __common_interrupt+0x79/0x1a0<br /> common_interrupt+0x78/0xa0<br /> <br /> <br /> asm_common_interrupt+0x22/0x40<br /> RIP: 0010:default_idle+0x42/0x60<br /> Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00<br /> RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242<br /> RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110<br /> RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc<br /> RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3<br /> R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005<br /> R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000<br /> ? default_idle_call+0xcc/0x450<br /> default_idle_call+0xec/0x450<br /> do_idle+0x394/0x450<br /> ? arch_cpu_idle_exit+0x40/0x40<br /> ? do_idle+0x17/0x450<br /> cpu_startup_entry+0x19/0x20<br /> start_secondary+0x221/0x2b0<br /> ? set_cpu_sibling_map+0x2070/0x2070<br /> secondary_startup_64_no_verify+0xcd/0xdb<br /> <br /> <br /> Allocated by task 49502:<br /> kasan_save_stack+0x1e/0x40<br /> __kasan_kmalloc+0x81/0xa0<br /> kvmalloc_node+0x48/0xe0<br /> mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]<br /> mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]<br /> mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]<br /> mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]<br /> mlx5e_detach_netdev+0x1c<br /> ---truncated---