CVE-2022-50726

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix possible use-after-free in async command interface

mlx5cmdcleanupasyncctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5cmdcleanupasyncctx and mlx5cmdexeccbhandler was possible and lead to a use-after-free:

1. mlx5cmdcleanupasyncctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback).
2. mlx5cmdcleanupasyncctx decreases num_inflight to 1.
3. mlx5cmdexeccbhandler is called, decreases numinflight to 0 and is about to call wakeup().
4. mlx5cmdcleanupasyncctx calls waitevent, which returns immediately as the condition (numinflight == 0) holds.
5. mlx5cmdcleanupasyncctx returns.
6. The caller of mlx5cmdcleanupasyncctx frees the mlx5asyncctx object.
7. mlx5cmdexeccbhandler goes on and calls wake_up() on the freed object.

Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0.

Trace:

BUG: KASAN: use-after-free in dorawspin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0

CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3forupstreamdebug202208301310 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dumpstacklvl+0x57/0x7d printreport.cold+0x2d5/0x684 ? dorawspinlock+0x23d/0x270 kasanreport+0xb1/0x1a0 ? dorawspinlock+0x23d/0x270 dorawspinlock+0x23d/0x270 ? rwlockbug.part.0+0x90/0x90 ? __deleteobject+0xb8/0x100 ? lockdowngrade+0x6e0/0x6e0 rawspinlockirqsave+0x43/0x60 ? __wakeupcommon_lock+0xb9/0x140 __wakeupcommon_lock+0xb9/0x140 ? __wakeupcommon+0x650/0x650 ? destroytiscallback+0x53/0x70 [mlx5core] ? kasansettrack+0x21/0x30 ? destroytiscallback+0x53/0x70 [mlx5core] ? kfree+0x1ba/0x520 ? dorawspinunlock+0x54/0x220 mlx5cmdexeccbhandler+0x136/0x1a0 [mlx5core] ? mlx5cmdcleanupasyncctx+0x220/0x220 [mlx5core] ? mlx5cmdcleanupasyncctx+0x220/0x220 [mlx5core] mlx5cmdcomphandler+0x65a/0x12b0 [mlx5core] ? dumpcommand+0xcc0/0xcc0 [mlx5core] ? lockdephardirqsonprepare+0x400/0x400 ? cmdcompnotifier+0x7e/0xb0 [mlx5core] cmdcompnotifier+0x7e/0xb0 [mlx5core] atomicnotifiercallchain+0xd7/0x1d0 mlx5eqasyncint+0x3ce/0xa20 [mlx5core] atomicnotifiercallchain+0xd7/0x1d0 ? irqrelease+0x140/0x140 [mlx5core] irqinthandler+0x19/0x30 [mlx5core] __handleirqevent_percpu+0x1f2/0x620 handleirqevent+0xb2/0x1d0 handleedgeirq+0x21e/0xb00 __commoninterrupt+0x79/0x1a0 commoninterrupt+0x78/0xa0 </IRQ> <TASK> asmcommoninterrupt+0x22/0x40 RIP: 0010:defaultidle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? defaultidlecall+0xcc/0x450 defaultidlecall+0xec/0x450 doidle+0x394/0x450 ? archcpuidleexit+0x40/0x40 ? doidle+0x17/0x450 cpustartupentry+0x19/0x20 startsecondary+0x221/0x2b0 ? setcpusiblingmap+0x2070/0x2070 secondarystartup64noverify+0xcd/0xdb </TASK>

Allocated by task 49502: kasansavestack+0x1e/0x40 __kasankmalloc+0x81/0xa0 kvmallocnode+0x48/0xe0 mlx5ebulkasyncinit+0x35/0x110 [mlx5core] mlx5etlsprivtxlistcleanup+0x84/0x3e0 [mlx5core] mlx5ektlscleanuptx+0x38f/0x760 [mlx5core] mlx5ecleanupnictx+0xa7/0x100 [mlx5core] mlx5edetachnetdev+0x1c ---truncated---