system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-07 11:53:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/infiniband/core
History
Divya Indi f427f4d621 IB/sa: Resolv use-after-free in ib_nl_make_request() 
There is a race condition where ib_nl_make_request() inserts the request
data into the linked list but the timer in ib_nl_request_timeout() can see
it and destroy it before ib_nl_send_msg() is done touching it. This could
happen, for instance, if there is a long delay allocating memory during
nlmsg_new()

This causes a use-after-free in the send_mad() thread:

  [<ffffffffa02f43cb>] ? ib_pack+0x17b/0x240 [ib_core]
  [ <ffffffffa032aef1>] ib_sa_path_rec_get+0x181/0x200 [ib_sa]
  [<ffffffffa0379db0>] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm]
  [<ffffffffa0374450>] ? cma_bind_port+0xa0/0xa0 [rdma_cm]
  [<ffffffffa040f850>] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma]
  [<ffffffffa040f22c>] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma]
  [<ffffffffa040f860>] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma]
  [<ffffffffa037778e>] addr_handler+0x9e/0x140 [rdma_cm]
  [<ffffffffa026cdb4>] process_req+0x134/0x190 [ib_addr]
  [<ffffffff810a02f9>] process_one_work+0x169/0x4a0
  [<ffffffff810a0b2b>] worker_thread+0x5b/0x560
  [<ffffffff810a0ad0>] ? flush_delayed_work+0x50/0x50
  [<ffffffff810a68fb>] kthread+0xcb/0xf0
  [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
  [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
  [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
  [<ffffffff816f25a7>] ret_from_fork+0x47/0x90
  [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180

The ownership rule is once the request is on the list, ownership transfers
to the list and the local thread can't touch it any more, just like for
the normal MAD case in send_mad().

Thus, instead of adding before send and then trying to delete after on
errors, move the entire thing under the spinlock so that the send and
update of the lists are atomic to the conurrent threads. Lightly reoganize
things so spinlock safe memory allocations are done in the final NL send
path and the rest of the setup work is done before and outside the lock.

Fixes: 3ebd2fd0d0 ("IB/sa: Put netlink request into the request list before sending")
Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com
Signed-off-by: Divya Indi <divya.indi@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2020-07-02 16:05:12 -03:00
..
addr.c RDMA/addr: Mark addr_resolve as might_sleep() 2020-05-12 21:32:52 -03:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c IB/core: Fix potential NULL pointer dereference in pkey cache 2020-05-12 11:47:48 -03:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm.c RDMA/core: Annotate CMA unlock helper routine 2020-06-18 09:34:42 -03:00
cm_msgs.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cma.c RDMA/cma: Protect bind_list and listen_list while finding matching cm id 2020-06-18 09:48:54 -03:00
cma_configfs.c IB/cma: Fix ports memory leak in cma_configfs 2020-05-22 15:37:19 -03:00
cma_priv.h RDMA/ucma: Extend ucma_connect to receive ECE parameters 2020-05-27 16:05:05 -03:00
cma_trace.c RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma_trace.h RDMA/core: Move and rename trace_cm_id_create() 2020-06-02 20:32:54 -03:00
core_priv.h RDMA/core: Introduce shared CQ pool API 2020-05-29 16:09:02 -03:00
counters.c RDMA/counter: Query a counter before release 2020-06-22 14:36:56 -03:00
cq.c RDMA/core: Introduce shared CQ pool API 2020-05-29 16:09:02 -03:00
device.c RDMA/core: Remove FMR device ops 2020-06-02 20:32:54 -03:00
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c RDMA/iwcm: Fix iwcm work deallocation 2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.h infiniband: fix core/ipwm_util.h kernel-doc warnings 2019-10-22 14:45:31 -03:00
lag.c RDMA/core: Consider flow label when building skb 2020-05-06 16:51:43 -03:00
mad.c IB/mad: Fix use after free when destroying MAD agent 2020-06-22 14:57:44 -03:00
mad_priv.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
Makefile RDMA/core: Remove FMR pool API 2020-06-02 20:32:53 -03:00
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c RDMA: Allow ib_client's to fail when add() is called 2020-05-06 11:57:33 -03:00
netlink.c IB/core: Avoid deadlock during netlink message handling 2019-10-24 20:49:37 -03:00
nldev.c RDMA/core: Fix double put of resource 2020-05-12 11:47:48 -03:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA/core: Check that type_attrs is not NULL prior access 2020-06-18 10:59:21 -03:00
rdma_core.h IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
restrack.c RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
restrack.h RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c drivers: use in_dev_for_each_ifa_rtnl/rcu 2019-06-02 18:06:26 -07:00
rw.c RDMA/rw: use DIV_ROUND_UP to calculate nr_ops 2020-04-15 11:34:49 -03:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
sa_query.c IB/sa: Resolv use-after-free in ib_nl_make_request() 2020-07-02 16:05:12 -03:00
security.c RDMA/core: Ensure security pkey modify is not lost 2020-03-24 19:53:25 -03:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA/core: Fix several reference count leaks. 2020-05-29 15:35:49 -03:00
trace.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
ucma.c RDMA/cma: Provide ECE reject reason 2020-05-27 16:05:05 -03:00
ud_header.c RDMA/core: Use sizeof_field() helper 2020-05-27 13:46:05 -03:00
umem.c RDMA/core: Add weak ordering dma attr to dma mapping 2020-02-13 13:38:02 -04:00
umem_odp.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
user_mad.c RDMA: Allow ib_client's to fail when add() is called 2020-05-06 11:57:33 -03:00
uverbs.h IB/uverbs: Extend CQ to get its own asynchronous event FD 2020-05-21 20:34:53 -03:00
uverbs_cmd.c RDMA: Remove 'max_map_per_fmr' 2020-06-02 20:32:54 -03:00
uverbs_ioctl.c RDMA/core: Use sizeof_field() helper 2020-05-27 13:46:05 -03:00
uverbs_main.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
uverbs_marshall.c
uverbs_std_types.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
uverbs_std_types_async_fd.c RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj 2020-05-12 17:02:25 -03:00
uverbs_std_types_counters.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c IB/uverbs: Extend CQ to get its own asynchronous event FD 2020-05-21 20:34:53 -03:00
uverbs_std_types_device.c RDMA/core: Add the core support field to METHOD_GET_CONTEXT 2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c RDMA/core: Allow the ioctl layer to abort a fully created uobject 2020-05-21 20:10:46 -03:00
uverbs_std_types_qp.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
uverbs_std_types_srq.c IB/uverbs: Introduce create/destroy SRQ commands over ioctl 2020-05-21 20:39:35 -03:00
uverbs_std_types_wq.c IB/uverbs: Introduce create/destroy WQ commands over ioctl 2020-05-21 20:39:35 -03:00
uverbs_uapi.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
verbs.c RDMA/core: Remove FMR device ops 2020-06-02 20:32:54 -03:00