New subject: [OLK-5.10 2/2] RDMA/hns: Fix missing reset notification by user space driver

26 Sep 2023

driver inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/I83L7U
----------------------------------------------------------
Currently, the mapping relationship of reset page between kernel mode
and user mode is maintained by driver. If the driver is hot-plugged
(e.g. reset), the memory of the reset page is released by kernel driver,
but the reset page in user mode still points to this released address
which would lead to a UAF.
This patch use the helper rdma_user_mmap_io() to maintain the vma mapping,
rather than driver itself, which remmaps the userspace reset page to an
safe zero page if driver was hot-plugged.
Fixes: e8b1fec497a0 ("RDMA/hns: Kernel notify usr space to stop ring db")
Signed-off-by: Chengchang Tang tangchengchang@huawei.com
---
 drivers/infiniband/hw/hns/hns_roce_main.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index 4a16200ab950..2f0a5b2bbc50 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -675,10 +675,9 @@ static int hns_roce_mmap(struct ib_ucontext *uctx, struct vm_area_struct *vma)
    		goto out;
    	}
-		ret = remap_pfn_range(vma, vma->vm_start,
-				      page_to_pfn(hr_dev->reset_page),
-				      PAGE_SIZE, vma->vm_page_prot);
-		goto out;
+		prot = vma->vm_page_prot;
+		pfn = page_to_pfn(hr_dev->reset_page);
+		break;
    default:
    	ret = -EINVAL;
    	goto out;
-- 
2.30.0


    

[OLK-5.10 1/2] RDMA/hns: Fix potential UAF after reset