* [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
@ 2020-12-30 2:46 trix
2020-12-30 5:31 ` Leon Romanovsky
2021-01-07 20:41 ` Jason Gunthorpe
0 siblings, 2 replies; 6+ messages in thread
From: trix @ 2020-12-30 2:46 UTC (permalink / raw)
To: selvin.xavier, devesh.sharma, dledford, jgg, leon, maxg,
galpress, michaelgur, monis, gustavoars
Cc: linux-rdma, linux-kernel, Tom Rix
From: Tom Rix <trix@redhat.com>
In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
the variable pd and then after uctx->cntxt_pd is freed, the
variable pd is passed to function _ocrdma_dealloc_pd() which
dereferences pd directly or through its call to
ocrdma_mbx_dealloc_pd().
Reorder the free using the variable pd.
Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
Signed-off-by: Tom Rix <trix@redhat.com>
---
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
index bc98bd950d99..3acb5c10b155 100644
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -434,9 +434,9 @@ static void ocrdma_dealloc_ucontext_pd(struct ocrdma_ucontext *uctx)
pr_err("%s(%d) Freeing in use pdid=0x%x.\n",
__func__, dev->id, pd->id);
}
- kfree(uctx->cntxt_pd);
uctx->cntxt_pd = NULL;
_ocrdma_dealloc_pd(dev, pd);
+ kfree(pd);
}
static struct ocrdma_pd *ocrdma_get_ucontext_pd(struct ocrdma_ucontext *uctx)
--
2.27.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
2020-12-30 2:46 [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd() trix
@ 2020-12-30 5:31 ` Leon Romanovsky
2021-01-07 20:41 ` Jason Gunthorpe
1 sibling, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2020-12-30 5:31 UTC (permalink / raw)
To: trix
Cc: selvin.xavier, devesh.sharma, dledford, jgg, maxg, galpress,
michaelgur, monis, gustavoars, linux-rdma, linux-kernel
On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
> From: Tom Rix <trix@redhat.com>
>
> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> the variable pd and then after uctx->cntxt_pd is freed, the
> variable pd is passed to function _ocrdma_dealloc_pd() which
> dereferences pd directly or through its call to
> ocrdma_mbx_dealloc_pd().
>
> Reorder the free using the variable pd.
>
> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> Signed-off-by: Tom Rix <trix@redhat.com>
> ---
> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
2020-12-30 2:46 [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd() trix
2020-12-30 5:31 ` Leon Romanovsky
@ 2021-01-07 20:41 ` Jason Gunthorpe
2021-01-07 21:43 ` Tom Rix
1 sibling, 1 reply; 6+ messages in thread
From: Jason Gunthorpe @ 2021-01-07 20:41 UTC (permalink / raw)
To: trix
Cc: selvin.xavier, devesh.sharma, dledford, leon, maxg, galpress,
michaelgur, monis, gustavoars, linux-rdma, linux-kernel
On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
> From: Tom Rix <trix@redhat.com>
>
> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> the variable pd and then after uctx->cntxt_pd is freed, the
> variable pd is passed to function _ocrdma_dealloc_pd() which
> dereferences pd directly or through its call to
> ocrdma_mbx_dealloc_pd().
>
> Reorder the free using the variable pd.
>
> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> Signed-off-by: Tom Rix <trix@redhat.com>
> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc
Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
turned on would have instantly caught this, and the change is nearly a
year old.
Is ocrdma obsolete enough we can delete the driver?
Thanks,
Jason
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
2021-01-07 20:41 ` Jason Gunthorpe
@ 2021-01-07 21:43 ` Tom Rix
2021-01-11 18:09 ` Selvin Xavier
0 siblings, 1 reply; 6+ messages in thread
From: Tom Rix @ 2021-01-07 21:43 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: selvin.xavier, devesh.sharma, dledford, leon, maxg, galpress,
michaelgur, monis, gustavoars, linux-rdma, linux-kernel
On 1/7/21 12:41 PM, Jason Gunthorpe wrote:
> On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
>> From: Tom Rix <trix@redhat.com>
>>
>> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
>> the variable pd and then after uctx->cntxt_pd is freed, the
>> variable pd is passed to function _ocrdma_dealloc_pd() which
>> dereferences pd directly or through its call to
>> ocrdma_mbx_dealloc_pd().
>>
>> Reorder the free using the variable pd.
>>
>> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
>> Signed-off-by: Tom Rix <trix@redhat.com>
>> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
> Applied to for-rc
>
> Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
> turned on would have instantly caught this, and the change is nearly a
> year old.
>
> Is ocrdma obsolete enough we can delete the driver?
I am not an authority on ocrdma, i am fixing treewide, the problems clang static analysis flags.
Tom
>
> Thanks,
> Jason
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
2021-01-07 21:43 ` Tom Rix
@ 2021-01-11 18:09 ` Selvin Xavier
0 siblings, 0 replies; 6+ messages in thread
From: Selvin Xavier @ 2021-01-11 18:09 UTC (permalink / raw)
To: Tom Rix
Cc: Jason Gunthorpe, Devesh Sharma, Doug Ledford, Leon Romanovsky,
maxg, Gal Pressman, michaelgur, Moni Shoua, gustavoars,
linux-rdma, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]
On Fri, Jan 8, 2021 at 3:13 AM Tom Rix <trix@redhat.com> wrote:
>
>
> On 1/7/21 12:41 PM, Jason Gunthorpe wrote:
> > On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
> >> From: Tom Rix <trix@redhat.com>
> >>
> >> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> >> the variable pd and then after uctx->cntxt_pd is freed, the
> >> variable pd is passed to function _ocrdma_dealloc_pd() which
> >> dereferences pd directly or through its call to
> >> ocrdma_mbx_dealloc_pd().
> >>
> >> Reorder the free using the variable pd.
> >>
> >> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> >> Signed-off-by: Tom Rix <trix@redhat.com>
> >> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> > Applied to for-rc
> >
> > Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
> > turned on would have instantly caught this, and the change is nearly a
> > year old.
> >
> > Is ocrdma obsolete enough we can delete the driver?
Broadcom is not doing any active development/testing with ocrdma now.
I am checking with other teams to see if this can be deleted
completely. Will get back asap.
Thanks,
Selvin
>
> I am not an authority on ocrdma, i am fixing treewide, the problems clang static analysis flags.
>
> Tom
>
> >
> > Thanks,
> > Jason
> >
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4181 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
@ 2021-01-11 18:09 ` Selvin Xavier
0 siblings, 0 replies; 6+ messages in thread
From: Selvin Xavier @ 2021-01-11 18:09 UTC (permalink / raw)
To: Tom Rix
Cc: Jason Gunthorpe, Devesh Sharma, Doug Ledford, Leon Romanovsky,
maxg, Gal Pressman, michaelgur, Moni Shoua, gustavoars,
linux-rdma, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]
On Fri, Jan 8, 2021 at 3:13 AM Tom Rix <trix@redhat.com> wrote:
>
>
> On 1/7/21 12:41 PM, Jason Gunthorpe wrote:
> > On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
> >> From: Tom Rix <trix@redhat.com>
> >>
> >> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> >> the variable pd and then after uctx->cntxt_pd is freed, the
> >> variable pd is passed to function _ocrdma_dealloc_pd() which
> >> dereferences pd directly or through its call to
> >> ocrdma_mbx_dealloc_pd().
> >>
> >> Reorder the free using the variable pd.
> >>
> >> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> >> Signed-off-by: Tom Rix <trix@redhat.com>
> >> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> > Applied to for-rc
> >
> > Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
> > turned on would have instantly caught this, and the change is nearly a
> > year old.
> >
> > Is ocrdma obsolete enough we can delete the driver?
Broadcom is not doing any active development/testing with ocrdma now.
I am checking with other teams to see if this can be deleted
completely. Will get back asap.
Thanks,
Selvin
>
> I am not an authority on ocrdma, i am fixing treewide, the problems clang static analysis flags.
>
> Tom
>
> >
> > Thanks,
> > Jason
> >
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4181 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-01-11 18:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-30 2:46 [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd() trix
2020-12-30 5:31 ` Leon Romanovsky
2021-01-07 20:41 ` Jason Gunthorpe
2021-01-07 21:43 ` Tom Rix
2021-01-11 18:09 ` Selvin Xavier
2021-01-11 18:09 ` Selvin Xavier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.