rds: Add proper refcnt when an RDS MR references an RDS Socket

Hakon-Bugge · vijay-suman · commit 2beb6ea8fe63 · 2024-12-01T08:05:22.000-08:00
When an RDS MR (mr) is created, it takes a reference to the RDS Socket
(rs) from where it was created. When the mr is destroyed, it
references the rs. Hence, provisions must be made to avoid the rs
being destroyed before all mrs referencing it have been destroyed.

Due to the implicit UAF here, different stack traces may be seen when
the UAF provokes a bug (edited for better brevity):

PF: supervisor write access in kernel mode
PF: error_code(0x0002) - not-present page
_raw_spin_lock_irqsave+0x4a/0x6a
__rds_put_mr_final+0x2c/0xe0 [rds]
rds_message_purge+0x13c/0x150 [rds]
rds_message_put+0x39/0x54 [rds]
rds_ib_send_cqe_handler+0x147/0x3dd [rds_rdma]
poll_scq+0x8c/0xb0 [rds_rdma]
rds_ib_tx+0x32/0x70 [rds_rdma]
rds_ib_send_cb+0x38/0x90 [rds_rdma]
tasklet_action_common.constprop.0+0x122/0x127
__do_softirq+0xcd/0x2a5
__irq_exit_rcu+0xc7/0xf1
common_interrupt+0x80/0x98

or

NMI watchdog: Watchdog detected hard LOCKUP on cpu 44
_raw_spin_lock_irqsave+0x4a/0x6a
__rds_put_mr_final+0x2c/0xe0 [rds]
rds_message_purge+0x13c/0x150 [rds]
rds_message_put+0x39/0x54 [rds]
rds_ib_send_cqe_handler+0x147/0x3dd [rds_rdma]
poll_scq+0x8c/0xb0 [rds_rdma]
rds_ib_tx+0x32/0x70 [rds_rdma]
rds_ib_send_cb+0x38/0x90 [rds_rdma]
tasklet_action_common.constprop.0+0x122/0x127
__do_softirq+0xcd/0x2a5
__irq_exit_rcu+0xc7/0xf1
common_interrupt+0x80/0x98

or

GPF, probably for non-canonical address 0xfea2b91efea5e2c2:
IP: 0010:native_queued_spin_lock_slowpath.part.0+0x181/0x1b2
_raw_spin_lock_irqsave+0x4a/0x6a
__rds_put_mr_final+0x2c/0xe0 [rds]
rds_message_purge+0x13c/0x150 [rds]
rds_message_put+0x39/0x54 [rds]
rds_ib_send_cqe_handler+0x147/0x3dd [rds_rdma]
poll_scq+0x8c/0xb0 [rds_rdma]
rds_ib_tx+0x32/0x70 [rds_rdma]
rds_ib_send_cb+0x38/0x90 [rds_rdma]
tasklet_action_common.constprop.0+0x122/0x127
__do_softirq+0xcd/0x2a5
__irq_exit_rcu+0xc7/0xf1
common_interrupt+0x80/0x98

Fixed by introducing proper reference counting when mr references rs.

Orabug: 35836948

Signed-off-by: Håkon Bugge &lt;haakon.bugge@oracle.com&gt;
Tested-by: Håkon Bugge &lt;haakon.bugge@oracle.com&gt;
Tested-by: Aparna Kumta &lt;aparna.kumta@oracle.com&gt;
Reviewed-by: Gerd Rausch &lt;gerd.rausch@oracle.com&gt;
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
@@ -119,6 +119,7 @@ void __rds_put_mr_final(struct kref *kref)
 	struct rds_mr *mr = container_of(kref, struct rds_mr, r_kref);
 
 	rds_destroy_mr(mr);
+	rds_sock_put(mr->r_sock);
 	kfree(mr);
 }
 
@@ -246,6 +247,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 	RB_CLEAR_NODE(&mr->r_rb_node);
 	mr->r_trans = rs->rs_transport;
 	mr->r_sock = rs;
+	rds_sock_addref(rs);
 
 	if (args->flags & RDS_RDMA_USE_ONCE)
 		mr->r_use_once = 1;
