From patchwork Tue Sep 23 09:38:26 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Or Gerlitz <ogerlitz@mellanox.com>
X-Patchwork-Id: 4954531
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 350DFBEEA5
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 23 Sep 2014 09:38:39 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 519A9201DD
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 23 Sep 2014 09:38:38 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id C8B922021A
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 23 Sep 2014 09:38:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754785AbaIWJig (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Tue, 23 Sep 2014 05:38:36 -0400
Received: from mailp.voltaire.com ([193.47.165.129]:53802 "EHLO
	mellanox.co.il"
	rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
	id S1753883AbaIWJif (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Tue, 23 Sep 2014 05:38:35 -0400
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
	ogerlitz@mellanox.com)
	with ESMTPS (AES256-SHA encrypted); 23 Sep 2014 12:38:29 +0300
Received: from r-vnc04.mtr.labs.mlnx (r-vnc04.mtr.labs.mlnx [10.208.0.116])
	by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id s8N9cTeb012876;
	Tue, 23 Sep 2014 12:38:29 +0300
From: Or Gerlitz <ogerlitz@mellanox.com>
To: Roland Dreier <roland@kernel.org>
Cc: linux-rdma@vger.kernel.org, Jack Morgenstein <jackm@dev.mellanox.co.il>,
	Or Gerlitz <ogerlitz@mellanox.com>
Subject: [PATCH] IB/core: Fix race condition in ib_uverbs_open_qp
Date: Tue, 23 Sep 2014 12:38:26 +0300
Message-Id: <1411465106-3117-1-git-send-email-ogerlitz@mellanox.com>
X-Mailer: git-send-email 1.7.8.2
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

In ib_uverbs_open_qp, the sharable xrc target qp is created as a "pseudo" qp
and added to a list of qp's sharing the same physical QP. This is done before
the "pseudo" qp is assigned a uobject.

There is a race condition here if an async event arrives at the physical qp.
If the event is handled after the pseudo qp is added to the list, but before
it is assigned a uobject, the kernel crashes in ib_uverbs_qp_event_handler,
due to trying to dereference a NULL uobject pointer.

Note that simply checking for non-NULL is not enough, due to error flows
in ib_uverbs_open_qp. If the failure is after assigning the uobject, but
before the qp has fully been created, we still have a problem.

Thus, in ib_uverbs_qp_event_handler, we test that the uobject is present,
and also that it is live.

Reported-by: Matthew Finlay <matt@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
---
 drivers/infiniband/core/uverbs_main.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index c73b22a..bb6fea1 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -502,6 +502,10 @@ void ib_uverbs_qp_event_handler(struct ib_event *event, void *context_ptr)
 {
 	struct ib_uevent_object *uobj;
 
+	/* for XRC target qp's, check that qp is live */
+	if (!event->element.qp->uobject || !event->element.qp->uobject->live)
+		return;
+
 	uobj = container_of(event->element.qp->uobject,
 			    struct ib_uevent_object, uobject);