[PATCH rdma-next 3/7] RDMA/mlx5: Avoid use after free in allocate MEMIC bad flow

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@nvidia.com>
Cc: Maor Gottlieb <maorg@nvidia.com>,
	linux-rdma@vger.kernel.org, netdev@vger.kernel.org,
	Saeed Mahameed <saeedm@nvidia.com>,
	Yishai Hadas <yishaih@mellanox.com>
Subject: [PATCH rdma-next 3/7] RDMA/mlx5: Avoid use after free in allocate MEMIC bad flow
Date: Thu, 18 Mar 2021 13:15:44 +0200	[thread overview]
Message-ID: <20210318111548.674749-4-leon@kernel.org> (raw)
In-Reply-To: <20210318111548.674749-1-leon@kernel.org>

From: Maor Gottlieb <maorg@nvidia.com>

When driver fails to copy the MEMIC address to the user, we
call to rdma_user_mmap_entry_remove on the mmap entry. Since in this
state the refcount of the mmap entry is decreased to zero, mmap_free
is triggered and release the dm object. Therefore we need to avoid
the explicit call to free the dm.

Fixes: dc2316eba73f ("IB/mlx5: Fix device memory flows")
Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 drivers/infiniband/hw/mlx5/main.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 5226664f1bda..d652af720036 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -2375,13 +2375,18 @@ static int handle_alloc_dm_memic(struct ib_ucontext *ctx,

 	err = mlx5_cmd_alloc_memic(dm_db, &dm->dev_addr,
 				   dm->size, attr->alignment);
-	if (err)
+	if (err) {
+		kfree(dm);
 		return err;
+	}

 	address = dm->dev_addr & PAGE_MASK;
 	err = add_dm_mmap_entry(ctx, dm, address);
-	if (err)
-		goto err_dealloc;
+	if (err) {
+		mlx5_cmd_dealloc_memic(dm_db, dm->dev_addr, dm->size);
+		kfree(dm);
+		return err;
+	}

 	page_idx = dm->mentry.rdma_entry.start_pgoff & 0xFFFF;
 	err = uverbs_copy_to(attrs,
@@ -2402,8 +2407,6 @@ static int handle_alloc_dm_memic(struct ib_ucontext *ctx,

 err_copy:
 	rdma_user_mmap_entry_remove(&dm->mentry.rdma_entry);
-err_dealloc:
-	mlx5_cmd_dealloc_memic(dm_db, dm->dev_addr, dm->size);

 	return err;
 }
@@ -2472,9 +2475,7 @@ struct ib_dm *mlx5_ib_alloc_dm(struct ib_device *ibdev,

 	switch (type) {
 	case MLX5_IB_UAPI_DM_TYPE_MEMIC:
-		err = handle_alloc_dm_memic(context, dm,
-					    attr,
-					    attrs);
+		err = handle_alloc_dm_memic(context, dm, attr, attrs);
 		break;
 	case MLX5_IB_UAPI_DM_TYPE_STEERING_SW_ICM:
 		err = handle_alloc_dm_sw_icm(context, dm,
@@ -2496,7 +2497,9 @@ struct ib_dm *mlx5_ib_alloc_dm(struct ib_device *ibdev,
 	return &dm->ibdm;

 err_free:
-	kfree(dm);
+	/* In MEMIC error flow, dm will be freed internally */
+	if (type != MLX5_IB_UAPI_DM_TYPE_MEMIC)
+		kfree(dm);
 	return ERR_PTR(err);
 }

--
2.30.2

next prev parent reply	other threads:[~2021-03-18 11:16 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-18 11:15 [PATCH rdma-next 0/7] Add MEMIC operations support Leon Romanovsky
2021-03-18 11:15 ` [PATCH mlx5-next 1/7] net/mlx5: Add MEMIC operations related bits Leon Romanovsky
2021-03-18 11:15 ` [PATCH rdma-next 2/7] RDMA/uverbs: Make UVERBS_OBJECT_METHODS to consider line number Leon Romanovsky
2021-03-18 11:15 ` Leon Romanovsky [this message]
2021-03-18 11:15 ` [PATCH rdma-next 4/7] RDMA/mlx5: Move all DM logic to separate file Leon Romanovsky
2021-03-18 11:15 ` [PATCH rdma-next 5/7] RDMA/mlx5: Add support to MODIFY_MEMIC command Leon Romanovsky
2021-03-18 11:15 ` [PATCH rdma-next 6/7] RDMA/mlx5: Add support in MEMIC operations Leon Romanovsky
2021-04-01 17:47   ` Jason Gunthorpe
2021-04-04  7:51     ` Leon Romanovsky
2021-03-18 11:15 ` [PATCH rdma-next 7/7] RDMA/mlx5: Expose UAPI to query DM Leon Romanovsky

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5226664f1bd dfblob:d652af72003 )
 OR (
bs:"[PATCH rdma-next 3/7] RDMA/mlx5: Avoid use after free in allocate MEMIC bad flow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210318111548.674749-4-leon@kernel.org \
    --to=leon@kernel.org \
    --cc=dledford@redhat.com \
    --cc=jgg@nvidia.com \
    --cc=linux-rdma@vger.kernel.org \
    --cc=maorg@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=saeedm@nvidia.com \
    --cc=yishaih@mellanox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.