From e77f229ecaf387f9f54430dbd277baf8c60b2716 Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Wed, 27 Oct 2021 13:17:13 -0400
Subject: [KPATCH CVE-2020-36385] RDMA/ucma: kpatch fixes for CVE-2020-36385

Kernels:
3.10.0-1160.6.1.el7
3.10.0-1160.11.1.el7
3.10.0-1160.15.2.el7
3.10.0-1160.21.1.el7
3.10.0-1160.24.1.el7
3.10.0-1160.25.1.el7
3.10.0-1160.31.1.el7
3.10.0-1160.36.2.el7
3.10.0-1160.41.1.el7
3.10.0-1160.42.2.el7
3.10.0-1160.45.1.el7

Changes since last build:
arches: x86_64 ppc64le
ucma.o: changed function: ucma_migrate_id
---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/12
Approved-by: Artem Savkov (@artem.savkov)
Modifications:
- Avoid the complications of reworking all the locks (and preceding
commits) and apply a minimal patch to avoid the CVE condition.
- Always inline ucma_unlock_files() to avoid new function on x64_64

Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/231

KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5948342
for kpatch-patch-3_10_0-1160_6_1-1-11.el7 scratch build:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=40661892

commit c71835cc23a3793651a693ea6cb1100e0eb9a0b1
Author: Kamal Heib <kheib@redhat.com>
Date:   Sun Aug 1 10:49:07 2021 +0300

    RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1978075
    CVE: CVE-2020-36385
    Conflicts:
    Adjust the patch to use "mut" mutext instead xa_lock due to the missing
    of: afcafe07af0e ("ucma: Convert ctx_idr to XArray").

    commit f5449e74802c1112dea984aec8af7a33c4516af1
    Author: Jason Gunthorpe <jgg@nvidia.com>
    Date:   Mon Sep 14 08:59:56 2020 -0300

        RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

        ucma_destroy_id() assumes that all things accessing the ctx will do so via
        the xarray. This assumption violated only in the case the FD is being
        closed, then the ctx is reached via the ctx_list. Normally this is OK
        since ucma_destroy_id() cannot run concurrenty with release(), however
        with ucma_migrate_id() is involved this can violated as the close of the
        2nd FD can run concurrently with destroy on the first:

                        CPU0                      CPU1
                ucma_destroy_id(fda)
                                          ucma_migrate_id(fda -> fdb)
                                               ucma_get_ctx()
                xa_lock()
                 _ucma_find_context()
                 xa_erase()
                xa_unlock()
                                               xa_lock()
                                                ctx->file = new_file
                                                list_move()
                                               xa_unlock()
                                              ucma_put_ctx()

                                           ucma_close(fdb)
                                              _destroy_id()
                                              kfree(ctx)

                _destroy_id()
                  wait_for_completion()
                  // boom, ctx was freed

        The ctx->file must be modified under the handler and xa_lock, and prior to
        modification the ID must be rechecked that it is still reachable from
        cur_file, ie there is no parallel destroy or migrate.

        To make this work remove the double locking and streamline the control
        flow. The double locking was obsoleted by the handler lock now directly
        preventing new uevents from being created, and the ctx_list cannot be read
        while holding fgets on both files. Removing the double locking also
        removes the need to check for the same file.

        Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()")
        Link: https://lore.kernel.org/r/0-v1-05c5a4090305+3a872-ucma_syz_migrate_jgg@nvidia.com
        Reported-and-tested-by: syzbot+cc6fc752b3819e082d0c@syzkaller.appspotmail.com
        Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

    Signed-off-by: Kamal Heib <kheib@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 drivers/infiniband/core/ucma.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 608a780d9ebb..72e7eb893d03 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1547,7 +1547,7 @@ static void ucma_lock_files(struct ucma_file *file1, struct ucma_file *file2)
 	}
 }
 
-static void ucma_unlock_files(struct ucma_file *file1, struct ucma_file *file2)
+static __always_inline void ucma_unlock_files(struct ucma_file *file1, struct ucma_file *file2)
 {
 	if (file1 < file2) {
 		mutex_unlock(&file2->mut);
@@ -1610,6 +1610,14 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file,
 	ucma_lock_files(cur_file, new_file);
 	mutex_lock(&mut);
 
+	/* CVE-2020-36385 kpatch: double check the context one last time */
+	if (_ucma_find_context(cmd.id, cur_file) != ctx) {
+		mutex_unlock(&mut);
+		ucma_unlock_files(cur_file, new_file);
+		ret = -ENOENT;
+		goto err_unlock;
+	}
+
 	list_move_tail(&ctx->list, &new_file->ctx_list);
 	ucma_move_events(ctx, new_file);
 	ctx->file = new_file;
@@ -1623,6 +1631,7 @@ response:
 			 &resp, sizeof(resp)))
 		ret = -EFAULT;
 
+err_unlock:
 	ucma_put_ctx(ctx);
 file_put:
 	fdput(f);
-- 
2.26.3