From: Leon Romanovsky <leon@kernel.org>
To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@mellanox.com>
Cc: Shay Drory <shayd@mellanox.com>,
Jack Morgenstein <jackm@dev.mellanox.co.il>,
linux-rdma@vger.kernel.org, Maor Gottlieb <maorg@mellanox.com>,
"willy@infradead.org" <willy@infradead.org>
Subject: [PATCH rdma-next 1/4] IB/mad: Fix use after free when destroying MAD agent
Date: Sun, 21 Jun 2020 13:47:35 +0300 [thread overview]
Message-ID: <20200621104738.54850-2-leon@kernel.org> (raw)
In-Reply-To: <20200621104738.54850-1-leon@kernel.org>
From: Shay Drory <shayd@mellanox.com>
Currently, when RMPP MADs are processed while the MAD agent is
destroyed, it could result in use after free of rmpp_recv, as
decribed below:
cpu-0 cpu-1
----- -----
ib_mad_recv_done()
ib_mad_complete_recv()
ib_process_rmpp_recv_wc()
unregister_mad_agent()
ib_cancel_rmpp_recvs()
cancel_delayed_work()
process_rmpp_data()
start_rmpp()
queue_delayed_work(rmpp_recv->cleanup_work)
destroy_rmpp_recv()
free_rmpp_recv()
cleanup_work()[1]
spin_lock_irqsave(&rmpp_recv->agent->lock)->use after free
[1] cleanup_work() == recv_cleanup_handler
Fix it by waiting for the MAD agent reference count becoming zero before
calling to ib_cancel_rmpp_recvs().
Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
Signed-off-by: Shay Drory <shayd@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
drivers/infiniband/core/mad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 186e0d652e8b..2da889f9b6b3 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -509,10 +509,10 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv)
xa_erase(&ib_mad_clients, mad_agent_priv->agent.hi_tid);
flush_workqueue(port_priv->wq);
- ib_cancel_rmpp_recvs(mad_agent_priv);
deref_mad_agent(mad_agent_priv);
wait_for_completion(&mad_agent_priv->comp);
+ ib_cancel_rmpp_recvs(mad_agent_priv);
ib_mad_agent_security_cleanup(&mad_agent_priv->agent);
--
2.26.2
next prev parent reply other threads:[~2020-06-21 10:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-21 10:47 [PATCH rdma-next 0/4] Bag of fixes and refactoring in MAD layer Leon Romanovsky
2020-06-21 10:47 ` Leon Romanovsky [this message]
2020-06-22 18:00 ` [PATCH rdma-next 1/4] IB/mad: Fix use after free when destroying MAD agent Jason Gunthorpe
2020-06-21 10:47 ` [PATCH rdma-next 2/4] IB/mad: Issue complete whenever decrements agent refcount Leon Romanovsky
2020-06-21 10:47 ` [PATCH rdma-next 3/4] IB/mad: Refactor atomics API to refcount API Leon Romanovsky
2020-06-21 10:47 ` [PATCH rdma-next 4/4] IB/mad: Delete RMPP_STATE_CANCELING state Leon Romanovsky
2020-06-24 19:45 ` [PATCH rdma-next 0/4] Bag of fixes and refactoring in MAD layer Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200621104738.54850-2-leon@kernel.org \
--to=leon@kernel.org \
--cc=dledford@redhat.com \
--cc=jackm@dev.mellanox.co.il \
--cc=jgg@mellanox.com \
--cc=linux-rdma@vger.kernel.org \
--cc=maorg@mellanox.com \
--cc=shayd@mellanox.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).