CVE-2023-52474

In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests

hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a

Here are the specific bugs: 1. usersdmatxadd() does not use struct usersdmaiovec->iov.iovlen. Rather, usersdmatxadd() will add up to PAGESIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iovlen and are thus not intended to be in the packet. 2. usersdmatxadd() and usersdmasendpkts() fail to advance to the next iovec in usersdmarequest->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages.

This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request.

Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmurbhandler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well.

Here are the mmurbhandler bugs that non-PAGESIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmurbhandler will result in duplicate pinnings. 2. When extending an existing mmurbhandler entry (struct mmurbnode), the mmurb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmurbnode.

If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail.

The failure path code in this case unpins all pages in either the original mmurbnode or the new mmurbnode that was inserted between (2) and (3). 3. In hfi1mmurbremoveunlessexact(), mmurbnode->refcount is incremented outside of mmurbhandler->lock. As a result, mmurbnode could be evicted by another thread that gets mmurbhandler->lock and checks mmurbnode->refcount before mmurbnode->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmurbnode->refcount before freeing mmurb_node object.

If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmurbnode(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete.