projects / wrapfs-5.3.y.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a388c0a) | patch
IB/mad: Fix use after free when destroying MAD agent
authorShay Drory <shayd@mellanox.com>
Sun, 21 Jun 2020 10:47:35 +0000 (13:47 +0300)
committerSasha Levin <sashal@kernel.org>
Wed, 1 Jul 2020 03:17:09 +0000 (23:17 -0400)
commitc5bf9f88f96212c25e824821e99194297167d848
tree7f0f6092b99dc12ae68e54e1d17bad7d8a84fdectree | snapshot
parenta388c0a88b7d676418b5861cfa40a159013cc6a6commit | diff
IB/mad: Fix use after free when destroying MAD agent

commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e upstream.

Currently, when RMPP MADs are processed while the MAD agent is destroyed,
it could result in use after free of rmpp_recv, as decribed below:

cpu-0 cpu-1
----- -----
ib_mad_recv_done()
 ib_mad_complete_recv()
  ib_process_rmpp_recv_wc()
unregister_mad_agent()
 ib_cancel_rmpp_recvs()
  cancel_delayed_work()
   process_rmpp_data()
    start_rmpp()
     queue_delayed_work(rmpp_recv->cleanup_work)
  destroy_rmpp_recv()
   free_rmpp_recv()
     cleanup_work()[1]
      spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free

[1] cleanup_work() == recv_cleanup_handler

Fix it by waiting for the MAD agent reference count becoming zero before
calling to ib_cancel_rmpp_recvs().

Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
Signed-off-by: Shay Drory <shayd@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/infiniband/core/mad.c diff | blob | history
wrapfs-5.3.y