From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: Bart Van Assche <bvanassche-HInyCGIudOg@public.gmane.org>
Cc: Roland Dreier <roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Alex Chiang <achiang-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
linux-rdma <linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH v3 2/2] IB/umad: Fix a use-after-free
Date: Fri, 16 May 2014 14:28:50 +0200 [thread overview]
Message-ID: <1400243330.13334.4.camel@localhost.localdomain> (raw)
In-Reply-To: <5375F108.20608-HInyCGIudOg@public.gmane.org>
Le vendredi 16 mai 2014 à 13:05 +0200, Bart Van Assche a écrit :
> Avoid that closing /dev/infiniband/umad<n> or /dev/infiniband/issm<n>
> triggers a use-after-free. __fput() in fs/file_table.c invokes
> f_op->release() before it invokes cdev_put(). Make sure that the
> ib_umad_device structure is freed by the cdev_put() call instead of
> f_op->release(). This avoids that changing the port mode from IB into
> Ethernet and back to IB followed by restarting opensmd triggers the
> following kernel oops:
>
> general protection fault: 0000 [#1] PREEMPT SMP
> RIP: 0010:[<ffffffff810cc65c>] [<ffffffff810cc65c>] module_put+0x2c/0x170
> Call Trace:
> [<ffffffff81190f20>] cdev_put+0x20/0x30
> [<ffffffff8118e2ce>] __fput+0x1ae/0x1f0
> [<ffffffff8118e35e>] ____fput+0xe/0x10
> [<ffffffff810723bc>] task_work_run+0xac/0xe0
> [<ffffffff81002a9f>] do_notify_resume+0x9f/0xc0
> [<ffffffff814b8398>] int_signal+0x12/0x17
>
> Reference: https://bugzilla.kernel.org/show_bug.cgi?id=75051
> Signed-off-by: Bart Van Assche <bvanassche-HInyCGIudOg@public.gmane.org>
> Cc: Alex Chiang <achiang-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> Cc: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
> Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
> ---
> drivers/infiniband/core/user_mad.c | 30 +++++++++++++++++++-----------
> 1 file changed, 19 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
> index 2b3dfcc..4ac0d42 100644
> --- a/drivers/infiniband/core/user_mad.c
> +++ b/drivers/infiniband/core/user_mad.c
> @@ -98,7 +98,7 @@ struct ib_umad_port {
>
> struct ib_umad_device {
> int start_port, end_port;
> - struct kref ref;
> + struct kobject kobj;
> struct ib_umad_port port[0];
> };
>
> @@ -134,14 +134,18 @@ static DECLARE_BITMAP(dev_map, IB_UMAD_MAX_PORTS);
> static void ib_umad_add_one(struct ib_device *device);
> static void ib_umad_remove_one(struct ib_device *device);
>
> -static void ib_umad_release_dev(struct kref *ref)
> +static void ib_umad_release_dev(struct kobject *kobj)
> {
> struct ib_umad_device *dev =
> - container_of(ref, struct ib_umad_device, ref);
> + container_of(kobj, struct ib_umad_device, kobj);
>
> kfree(dev);
> }
>
> +static struct kobj_type ib_umad_dev_ktype = {
> + .release = ib_umad_release_dev,
> +};
> +
> static int hdr_size(struct ib_umad_file *file)
> {
> return file->use_pkey_index ? sizeof (struct ib_user_mad_hdr) :
> @@ -810,7 +814,7 @@ static int ib_umad_open(struct inode *inode, struct file *filp)
> if (ret)
> goto del;
>
> - kref_get(&port->umad_dev->ref);
> + kobject_get(&port->umad_dev->kobj);
>
> out:
> mutex_unlock(&port->file_mutex);
> @@ -855,7 +859,7 @@ static int ib_umad_close(struct inode *inode, struct file *filp)
> mutex_unlock(&file->port->file_mutex);
>
> kfree(file);
> - kref_put(&dev->ref, ib_umad_release_dev);
> + kobject_put(&dev->kobj);
>
> return 0;
> }
> @@ -906,7 +910,7 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp)
> if (ret)
> goto clr_sm_cap;
>
> - kref_get(&port->umad_dev->ref);
> + kobject_get(&port->umad_dev->kobj);
>
> out:
> return ret;
> @@ -935,7 +939,7 @@ static int ib_umad_sm_close(struct inode *inode, struct file *filp)
>
> up(&port->sm_sem);
>
> - kref_put(&port->umad_dev->ref, ib_umad_release_dev);
> + kobject_put(&port->umad_dev->kobj);
>
> return ret;
> }
> @@ -1003,6 +1007,7 @@ static int find_overflow_devnum(void)
> }
>
> static int ib_umad_init_port(struct ib_device *device, int port_num,
> + struct ib_umad_device *umad_dev,
> struct ib_umad_port *port)
> {
> int devnum;
> @@ -1035,6 +1040,7 @@ static int ib_umad_init_port(struct ib_device *device, int port_num,
>
> cdev_init(&port->cdev, &umad_fops);
> port->cdev.owner = THIS_MODULE;
> + port->cdev.kobj.parent = &umad_dev->kobj;
> kobject_set_name(&port->cdev.kobj, "umad%d", port->dev_num);
> if (cdev_add(&port->cdev, base, 1))
> goto err_cdev;
> @@ -1053,6 +1059,7 @@ static int ib_umad_init_port(struct ib_device *device, int port_num,
> base += IB_UMAD_MAX_PORTS;
> cdev_init(&port->sm_cdev, &umad_sm_fops);
> port->sm_cdev.owner = THIS_MODULE;
> + port->sm_cdev.kobj.parent = &umad_dev->kobj;
> kobject_set_name(&port->sm_cdev.kobj, "issm%d", port->dev_num);
> if (cdev_add(&port->sm_cdev, base, 1))
> goto err_sm_cdev;
> @@ -1146,7 +1153,7 @@ static void ib_umad_add_one(struct ib_device *device)
> if (!umad_dev)
> return;
>
> - kref_init(&umad_dev->ref);
> + kobject_init(&umad_dev->kobj, &ib_umad_dev_ktype);
>
> umad_dev->start_port = s;
> umad_dev->end_port = e;
> @@ -1154,7 +1161,8 @@ static void ib_umad_add_one(struct ib_device *device)
> for (i = s; i <= e; ++i) {
> umad_dev->port[i - s].umad_dev = umad_dev;
>
> - if (ib_umad_init_port(device, i, &umad_dev->port[i - s]))
> + if (ib_umad_init_port(device, i, umad_dev,
> + &umad_dev->port[i - s]))
> goto err;
> }
>
> @@ -1166,7 +1174,7 @@ err:
> while (--i >= s)
> ib_umad_kill_port(&umad_dev->port[i - s]);
>
> - kref_put(&umad_dev->ref, ib_umad_release_dev);
> + kobject_put(&umad_dev->kobj);
> }
>
> static void ib_umad_remove_one(struct ib_device *device)
> @@ -1180,7 +1188,7 @@ static void ib_umad_remove_one(struct ib_device *device)
> for (i = 0; i <= umad_dev->end_port - umad_dev->start_port; ++i)
> ib_umad_kill_port(&umad_dev->port[i]);
>
> - kref_put(&umad_dev->ref, ib_umad_release_dev);
> + kobject_put(&umad_dev->kobj);
> }
>
> static char *umad_devnode(struct device *dev, umode_t *mode)
There's now a equal number of kobject_init() + kobject_get() and
kobject_put() (not counting one in the error path), so this sound well
balanced.
Regards.
Reviewed-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-05-16 12:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 8:29 [PATCH 0/3] Fix a use-after-free in ib_umad Bart Van Assche
[not found] ` <53708666.6060209-HInyCGIudOg@public.gmane.org>
2014-05-12 8:30 ` [PATCH 1/3] IB/umad: Remove container_of() != NULL tests Bart Van Assche
[not found] ` <5370869F.5040103-HInyCGIudOg@public.gmane.org>
2014-05-12 10:04 ` Yann Droneaud
[not found] ` <1399889097.3017.1.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-05-12 10:36 ` Bart Van Assche
[not found] ` <5370A41F.8050001-HInyCGIudOg@public.gmane.org>
2014-05-12 12:40 ` Yann Droneaud
2014-05-12 8:30 ` [PATCH 2/3] IB/umad: Fix error handling Bart Van Assche
[not found] ` <537086BA.3020807-HInyCGIudOg@public.gmane.org>
2014-05-12 10:18 ` Yann Droneaud
[not found] ` <1399889890.3017.6.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-05-12 10:32 ` Bart Van Assche
[not found] ` <5370A323.5000504-HInyCGIudOg@public.gmane.org>
2014-05-12 12:35 ` Yann Droneaud
2014-05-16 11:03 ` [PATCH v3 0/2] Fix a use-after-free in ib_umad Bart Van Assche
[not found] ` <5375F094.30809-HInyCGIudOg@public.gmane.org>
2014-05-16 11:04 ` [PATCH v3 1/2] IB/umad: Fix error handling Bart Van Assche
[not found] ` <5375F0CD.5080809-HInyCGIudOg@public.gmane.org>
2014-05-20 8:33 ` [PATCH v3.1] " Yann Droneaud
[not found] ` <1400574821-9562-1-git-send-email-ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-05-20 11:25 ` Bart Van Assche
[not found] ` <537B3BBE.4040202-HInyCGIudOg@public.gmane.org>
2014-05-20 11:39 ` Yann Droneaud
2014-05-16 11:05 ` [PATCH v3 2/2] IB/umad: Fix a use-after-free Bart Van Assche
[not found] ` <5375F108.20608-HInyCGIudOg@public.gmane.org>
2014-05-16 12:28 ` Yann Droneaud [this message]
2014-06-06 16:25 ` [RESEND PATCH] " Yann Droneaud
[not found] ` <1402071904-25003-1-git-send-email-ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-06-06 18:39 ` Roland Dreier
2014-05-12 8:31 ` [PATCH 3/3] " Bart Van Assche
2014-05-12 9:17 ` [PATCH 1/3] IB/umad: Remove container_of() != NULL tests Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1400243330.13334.4.camel@localhost.localdomain \
--to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
--cc=achiang-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=bvanassche-HInyCGIudOg@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.