From patchwork Thu Oct 15 12:01:03 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matan Barak <matanb@mellanox.com>
X-Patchwork-Id: 7405291
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 34E8F9F302
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:45 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 53AEE2073F
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:44 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 6BF222074E
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752983AbbJOMDm (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Thu, 15 Oct 2015 08:03:42 -0400
Received: from [193.47.165.129] ([193.47.165.129]:36335 "EHLO mellanox.co.il"
	rhost-flags-FAIL-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752483AbbJOMDm (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Thu, 15 Oct 2015 08:03:42 -0400
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
	matanb@mellanox.com)
	with ESMTPS (AES256-SHA encrypted); 15 Oct 2015 14:03:19 +0200
Received: from rsws33.mtr.labs.mlnx (dev-r-vrt-064.mtr.labs.mlnx
	[10.212.64.1])
	by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id t9FC3BDi020615;
	Thu, 15 Oct 2015 15:03:18 +0300
From: Matan Barak <matanb@mellanox.com>
To: Doug Ledford <dledford@redhat.com>
Cc: linux-rdma@vger.kernel.org, Or Gerlitz <ogerlitz@mellanox.com>,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	Matan Barak <matanb@mellanox.com>, Eran Ben Elisha <eranbe@mellanox.com>
Subject: [PATCH rdma-cm] IB/core: Fix use after free of ifa
Date: Thu, 15 Oct 2015 15:01:03 +0300
Message-Id: <1444910463-5688-2-git-send-email-matanb@mellanox.com>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1444910463-5688-1-git-send-email-matanb@mellanox.com>
References: <1444910463-5688-1-git-send-email-matanb@mellanox.com>
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When using ifup/ifdown while executing enum_netdev_ipv4_ips,
ifa could become invalid and cause use after free error.
Fixing it by protecting with RCU lock.

Fixes: 03db3a2d81e6 ('IB/core: Add RoCE GID table management')
Signed-off-by: Matan Barak <matanb@mellanox.com>
---

Hi Doug,

This patch fixes a bug in RoCE GID table implementation. Under stress conditions
where ifup/ifdown are used, the ifa pointer could become invalid. Using a
RCU lock in order to avoid freeing the ifa node (as done in other inet functions
(for example, inet_addr_onlink).

Our QA team verified that this patch fixes this issue.

Thanks,
Matan

 drivers/infiniband/core/roce_gid_mgmt.c | 35 +++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/drivers/infiniband/core/roce_gid_mgmt.c b/drivers/infiniband/core/roce_gid_mgmt.c
index 6b24cba..178f984 100644
--- a/drivers/infiniband/core/roce_gid_mgmt.c
+++ b/drivers/infiniband/core/roce_gid_mgmt.c
@@ -250,25 +250,44 @@ static void enum_netdev_ipv4_ips(struct ib_device *ib_dev,
 				 u8 port, struct net_device *ndev)
 {
 	struct in_device *in_dev;
+	struct sin_list {
+		struct list_head	list;
+		struct sockaddr_in	ip;
+	};
+	struct sin_list *sin_iter;
+	struct sin_list *sin_temp;
 
+	LIST_HEAD(sin_list);
 	if (ndev->reg_state >= NETREG_UNREGISTERING)
 		return;
 
-	in_dev = in_dev_get(ndev);
-	if (!in_dev)
+	rcu_read_lock();
+	in_dev = __in_dev_get_rcu(ndev);
+	if (!in_dev) {
+		rcu_read_unlock();
 		return;
+	}
 
 	for_ifa(in_dev) {
-		struct sockaddr_in ip;
+		struct sin_list *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
 
-		ip.sin_family = AF_INET;
-		ip.sin_addr.s_addr = ifa->ifa_address;
-		update_gid_ip(GID_ADD, ib_dev, port, ndev,
-			      (struct sockaddr *)&ip);
+		if (!entry) {
+			pr_warn("roce_gid_mgmt: couldn't allocate entry for IPv4 update\n");
+			continue;
+		}
+		entry->ip.sin_family = AF_INET;
+		entry->ip.sin_addr.s_addr = ifa->ifa_address;
+		list_add_tail(&entry->list, &sin_list);
 	}
 	endfor_ifa(in_dev);
+	rcu_read_unlock();
 
-	in_dev_put(in_dev);
+	list_for_each_entry_safe(sin_iter, sin_temp, &sin_list, list) {
+		update_gid_ip(GID_ADD, ib_dev, port, ndev,
+			      (struct sockaddr *)&sin_iter->ip);
+		list_del(&sin_iter->list);
+		kfree(sin_iter);
+	}
 }
 
 static void enum_netdev_ipv6_ips(struct ib_device *ib_dev,