From: Jason Gunthorpe <jgg@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: Doug Ledford <dledford@redhat.com>,
Shay Drory <shayd@mellanox.com>,
"Jack Morgenstein" <jackm@dev.mellanox.co.il>,
<linux-rdma@vger.kernel.org>,
"Maor Gottlieb" <maorg@mellanox.com>,
"willy@infradead.org" <willy@infradead.org>
Subject: Re: [PATCH rdma-next 1/4] IB/mad: Fix use after free when destroying MAD agent
Date: Mon, 22 Jun 2020 15:00:51 -0300 [thread overview]
Message-ID: <20200622180051.GA2896631@mellanox.com> (raw)
In-Reply-To: <20200621104738.54850-2-leon@kernel.org>
On Sun, Jun 21, 2020 at 01:47:35PM +0300, Leon Romanovsky wrote:
> From: Shay Drory <shayd@mellanox.com>
>
> Currently, when RMPP MADs are processed while the MAD agent is
> destroyed, it could result in use after free of rmpp_recv, as
> decribed below:
>
> cpu-0 cpu-1
> ----- -----
> ib_mad_recv_done()
> ib_mad_complete_recv()
> ib_process_rmpp_recv_wc()
> unregister_mad_agent()
> ib_cancel_rmpp_recvs()
> cancel_delayed_work()
> process_rmpp_data()
> start_rmpp()
> queue_delayed_work(rmpp_recv->cleanup_work)
> destroy_rmpp_recv()
> free_rmpp_recv()
> cleanup_work()[1]
> spin_lock_irqsave(&rmpp_recv->agent->lock)->use after free
>
> [1] cleanup_work() == recv_cleanup_handler
>
> Fix it by waiting for the MAD agent reference count becoming zero before
> calling to ib_cancel_rmpp_recvs().
>
> Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
> Signed-off-by: Shay Drory <shayd@mellanox.com>
> Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> ---
> drivers/infiniband/core/mad.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc thanks
Jason
next prev parent reply other threads:[~2020-06-22 18:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-21 10:47 [PATCH rdma-next 0/4] Bag of fixes and refactoring in MAD layer Leon Romanovsky
2020-06-21 10:47 ` [PATCH rdma-next 1/4] IB/mad: Fix use after free when destroying MAD agent Leon Romanovsky
2020-06-22 18:00 ` Jason Gunthorpe [this message]
2020-06-21 10:47 ` [PATCH rdma-next 2/4] IB/mad: Issue complete whenever decrements agent refcount Leon Romanovsky
2020-06-21 10:47 ` [PATCH rdma-next 3/4] IB/mad: Refactor atomics API to refcount API Leon Romanovsky
2020-06-21 10:47 ` [PATCH rdma-next 4/4] IB/mad: Delete RMPP_STATE_CANCELING state Leon Romanovsky
2020-06-24 19:45 ` [PATCH rdma-next 0/4] Bag of fixes and refactoring in MAD layer Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200622180051.GA2896631@mellanox.com \
--to=jgg@nvidia.com \
--cc=dledford@redhat.com \
--cc=jackm@dev.mellanox.co.il \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=maorg@mellanox.com \
--cc=shayd@mellanox.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).