From: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>,
Eran Ben Elisha <eranbe-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH rdma-cm] IB/core: Fix use after free of ifa
Date: Tue, 20 Oct 2015 16:17:34 -0400 [thread overview]
Message-ID: <5626A15E.7080800@redhat.com> (raw)
In-Reply-To: <1444910463-5688-2-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 2817 bytes --]
On 10/15/2015 08:01 AM, Matan Barak wrote:
> When using ifup/ifdown while executing enum_netdev_ipv4_ips,
> ifa could become invalid and cause use after free error.
> Fixing it by protecting with RCU lock.
>
> Fixes: 03db3a2d81e6 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
This is in my tree for -rc. Thanks.
> ---
>
> Hi Doug,
>
> This patch fixes a bug in RoCE GID table implementation. Under stress conditions
> where ifup/ifdown are used, the ifa pointer could become invalid. Using a
> RCU lock in order to avoid freeing the ifa node (as done in other inet functions
> (for example, inet_addr_onlink).
>
> Our QA team verified that this patch fixes this issue.
>
> Thanks,
> Matan
>
> drivers/infiniband/core/roce_gid_mgmt.c | 35 +++++++++++++++++++++++++--------
> 1 file changed, 27 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/infiniband/core/roce_gid_mgmt.c b/drivers/infiniband/core/roce_gid_mgmt.c
> index 6b24cba..178f984 100644
> --- a/drivers/infiniband/core/roce_gid_mgmt.c
> +++ b/drivers/infiniband/core/roce_gid_mgmt.c
> @@ -250,25 +250,44 @@ static void enum_netdev_ipv4_ips(struct ib_device *ib_dev,
> u8 port, struct net_device *ndev)
> {
> struct in_device *in_dev;
> + struct sin_list {
> + struct list_head list;
> + struct sockaddr_in ip;
> + };
> + struct sin_list *sin_iter;
> + struct sin_list *sin_temp;
>
> + LIST_HEAD(sin_list);
> if (ndev->reg_state >= NETREG_UNREGISTERING)
> return;
>
> - in_dev = in_dev_get(ndev);
> - if (!in_dev)
> + rcu_read_lock();
> + in_dev = __in_dev_get_rcu(ndev);
> + if (!in_dev) {
> + rcu_read_unlock();
> return;
> + }
>
> for_ifa(in_dev) {
> - struct sockaddr_in ip;
> + struct sin_list *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
>
> - ip.sin_family = AF_INET;
> - ip.sin_addr.s_addr = ifa->ifa_address;
> - update_gid_ip(GID_ADD, ib_dev, port, ndev,
> - (struct sockaddr *)&ip);
> + if (!entry) {
> + pr_warn("roce_gid_mgmt: couldn't allocate entry for IPv4 update\n");
> + continue;
> + }
> + entry->ip.sin_family = AF_INET;
> + entry->ip.sin_addr.s_addr = ifa->ifa_address;
> + list_add_tail(&entry->list, &sin_list);
> }
> endfor_ifa(in_dev);
> + rcu_read_unlock();
>
> - in_dev_put(in_dev);
> + list_for_each_entry_safe(sin_iter, sin_temp, &sin_list, list) {
> + update_gid_ip(GID_ADD, ib_dev, port, ndev,
> + (struct sockaddr *)&sin_iter->ip);
> + list_del(&sin_iter->list);
> + kfree(sin_iter);
> + }
> }
>
> static void enum_netdev_ipv6_ips(struct ib_device *ib_dev,
>
--
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
GPG KeyID: 0E572FDD
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]
next prev parent reply other threads:[~2015-10-20 20:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-15 12:01 [PATCH rdma-cm] IB/core: Fix memory corruption in ib_cache_gid_set_default_gid Matan Barak
[not found] ` <1444910463-5688-1-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-10-15 12:01 ` [PATCH rdma-cm] IB/core: Fix use after free of ifa Matan Barak
[not found] ` <1444910463-5688-2-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-10-15 17:37 ` Doug Ledford
[not found] ` <561FE452.3050304-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-15 17:53 ` Jason Gunthorpe
[not found] ` <20151015175310.GA17519-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-10-18 7:51 ` Matan Barak
[not found] ` <CAAKD3BCoNmHjUvAR_SuKT_AL-823_y34QyRRV3aZ=T8cw9F9gw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-19 18:26 ` Jason Gunthorpe
2015-10-18 7:49 ` Matan Barak
[not found] ` <CAAKD3BBEfKTHPKyoTzMW3YESKJmGkcUkui=hjhsbyFRY+xDDEw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-19 12:23 ` Doug Ledford
[not found] ` <5624E0AE.8050702-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-19 14:20 ` Matan Barak
[not found] ` <5624FC13.1090200-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-10-19 15:27 ` Doug Ledford
[not found] ` <56250BD6.2050503-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-20 14:50 ` Matan Barak
[not found] ` <562654B6.8090501-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-10-20 16:52 ` Doug Ledford
2015-10-20 20:17 ` Doug Ledford [this message]
[not found] ` <5626A15E.7080800-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-11-16 13:17 ` Matan Barak
2015-10-15 16:27 ` [PATCH rdma-cm] IB/core: Fix memory corruption in ib_cache_gid_set_default_gid Doug Ledford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5626A15E.7080800@redhat.com \
--to=dledford-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=eranbe-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.