OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers/infiniband/core
History
Divya Indi fd3a612d98 IB/sa: Resolv use-after-free in ib_nl_make_request() 
[ Upstream commit f427f4d621 ]

There is a race condition where ib_nl_make_request() inserts the request
data into the linked list but the timer in ib_nl_request_timeout() can see
it and destroy it before ib_nl_send_msg() is done touching it. This could
happen, for instance, if there is a long delay allocating memory during
nlmsg_new()

This causes a use-after-free in the send_mad() thread:

  [<ffffffffa02f43cb>] ? ib_pack+0x17b/0x240 [ib_core]
  [ <ffffffffa032aef1>] ib_sa_path_rec_get+0x181/0x200 [ib_sa]
  [<ffffffffa0379db0>] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm]
  [<ffffffffa0374450>] ? cma_bind_port+0xa0/0xa0 [rdma_cm]
  [<ffffffffa040f850>] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma]
  [<ffffffffa040f22c>] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma]
  [<ffffffffa040f860>] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma]
  [<ffffffffa037778e>] addr_handler+0x9e/0x140 [rdma_cm]
  [<ffffffffa026cdb4>] process_req+0x134/0x190 [ib_addr]
  [<ffffffff810a02f9>] process_one_work+0x169/0x4a0
  [<ffffffff810a0b2b>] worker_thread+0x5b/0x560
  [<ffffffff810a0ad0>] ? flush_delayed_work+0x50/0x50
  [<ffffffff810a68fb>] kthread+0xcb/0xf0
  [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
  [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
  [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
  [<ffffffff816f25a7>] ret_from_fork+0x47/0x90
  [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180

The ownership rule is once the request is on the list, ownership transfers
to the list and the local thread can't touch it any more, just like for
the normal MAD case in send_mad().

Thus, instead of adding before send and then trying to delete after on
errors, move the entire thing under the spinlock so that the send and
update of the lists are atomic to the conurrent threads. Lightly reoganize
things so spinlock safe memory allocations are done in the final NL send
path and the rest of the setup work is done before and outside the lock.

Fixes: 3ebd2fd0d0 ("IB/sa: Put netlink request into the request list before sending")
Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com
Signed-off-by: Divya Indi <divya.indi@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-07-16 08:16:38 +02:00
..
Makefile RDMA/counter: Add set/clear per-port auto mode support 2019-07-05 10:22:54 -03:00
addr.c RDMA/netlink: Do not always generate an ACK for some netlink operations 2020-02-14 16:34:08 -05:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c IB/core: Fix potential NULL pointer dereference in pkey cache 2020-05-20 08:20:26 +02:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm.c RDMA/cm: Fix an error check in cm_alloc_id_priv() 2020-05-06 08:15:13 +02:00
cm_msgs.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
cma.c RDMA/cma: Protect bind_list and listen_list while finding matching cm id 2020-06-30 15:36:57 -04:00
cma_configfs.c IB/cma: Fix ports memory leak in cma_configfs 2020-06-24 17:50:32 +02:00
cma_priv.h IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
core_priv.h RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00
counters.c RDMA/counter: Query a counter before release 2020-07-09 09:37:52 +02:00
cq.c rdma: Enable ib_alloc_cq to spread work over a device's comp_vectors 2019-08-05 11:50:32 -04:00
device.c RDMA/core: Fix missing error check on dev_set_name() 2020-04-01 11:01:58 +02:00
fmr_pool.c RDMA: Delete DEBUG code 2019-08-20 13:27:53 -04:00
iwcm.c RDMA/iwcm: Fix iwcm work deallocation 2020-03-12 13:00:29 +01:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.h RDMA/IWPM: Support no port mapping requirements 2019-02-04 16:26:02 -07:00
mad.c RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() 2020-06-30 15:36:58 -04:00
mad_priv.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c IB/core, ipoib: Do not overreact to SM LID change event 2019-05-07 16:06:03 -03:00
netlink.c IB/core: Avoid deadlock during netlink message handling 2019-10-24 20:49:37 -03:00
nldev.c RDMA/core: Fix double put of resource 2020-05-20 08:20:26 +02:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA/core: Fix double destruction of uobject 2020-06-03 08:21:25 +02:00
rdma_core.h RDMA/core: Clear out the udata before error unwind 2019-05-27 14:35:26 -03:00
restrack.c RDMA/restrack: Rewrite PID namespace check to be reliable 2019-08-20 13:44:44 -04:00
restrack.h RDMA/restrack: Make is_visible_in_pid_ns() as an API 2019-07-05 10:22:54 -03:00
roce_gid_mgmt.c drivers: use in_dev_for_each_ifa_rtnl/rcu 2019-06-02 18:06:26 -07:00
rw.c RDMA/rw: Fix error flow during RDMA context initialization 2020-03-12 13:00:29 +01:00
sa.h
sa_query.c IB/sa: Resolv use-after-free in ib_nl_make_request() 2020-07-16 08:16:38 +02:00
security.c RDMA/core: Ensure security pkey modify is not lost 2020-04-01 11:02:04 +02:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA/core: Fix several reference count leaks. 2020-06-24 17:50:17 +02:00
ucma.c RDMA/ucma: Put a lock around every call to the rdma_cm layer 2020-04-13 10:48:12 +02:00
ud_header.c
umem.c RDMA/umem: Fix ib_umem_find_best_pgsz() 2020-02-14 16:34:08 -05:00
umem_odp.c IB/core: Fix ODP get user pages flow 2020-02-11 04:35:46 -08:00
user_mad.c RDMA/mad: Do not crash if the rdma device does not have a umad interface 2020-04-01 11:01:58 +02:00
uverbs.h RDMA/uverbs: Prevent potential underflow 2019-10-22 15:05:36 -03:00
uverbs_cmd.c RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00
uverbs_ioctl.c mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options 2019-07-12 11:05:46 -07:00
uverbs_main.c RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated 2020-06-17 16:40:22 +02:00
uverbs_marshall.c
uverbs_std_types.c IB: Remove 'uobject->context' dependency in object destroy APIs 2019-04-01 14:59:35 -03:00
uverbs_std_types_counters.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
uverbs_std_types_device.c IB/uverbs: Fix ioctl query port to consider device disassociation 2019-01-25 11:58:06 -07:00
uverbs_std_types_dm.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
uverbs_uapi.c RDMA: Move driver_id into struct ib_device_ops 2019-06-10 16:56:02 -03:00
verbs.c RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00