From patchwork Tue Apr 16 12:13:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 10902905 X-Patchwork-Delegate: jgg@ziepe.ca Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 15EB017E1 for ; Tue, 16 Apr 2019 12:13:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB48028618 for ; Tue, 16 Apr 2019 12:13:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DCE16289D0; Tue, 16 Apr 2019 12:13:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D557289D6 for ; Tue, 16 Apr 2019 12:13:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727901AbfDPMNQ (ORCPT ); Tue, 16 Apr 2019 08:13:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:39130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726907AbfDPMNQ (ORCPT ); Tue, 16 Apr 2019 08:13:16 -0400 Received: from localhost (unknown [193.47.165.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5A083206BA; Tue, 16 Apr 2019 12:13:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555416795; bh=MLzwpCZm28gVqku4F0Q2gTTidiEsCAUJ80GdNKo+8xU=; h=From:To:Cc:Subject:Date:From; b=rawP4d/0seCN8DyFHQVAX2zWkDbGXUgt9/l2pBeJ1Q6xOL6lkh+Q09KHPUgNiKbPO cZIjwGvfW7gd8cE/spLLbaG5W7Rz/3vMs9vltbDsKDHMTQGS55zl//CVIy102irVCb 79QpYvWQ2JW00lRVJqxrEeFMVw8/9s7trxP94tzM= From: Leon Romanovsky To: Doug Ledford , Jason Gunthorpe Cc: Leon Romanovsky , RDMA mailing list , "Ruhl, Michael J" , "Marciniszyn, Mike" , "Dalessandro, Dennis" Subject: [PATCH rdma-next] RDMA/rdmavt: Catch use-after-free access of AH structures Date: Tue, 16 Apr 2019 15:13:10 +0300 Message-Id: <20190416121310.20783-1-leon@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Leon Romanovsky Prior to commit d345691471b4 ("RDMA: Handle AH allocations by IB/core"), AH destroy path is rdmavt returned -EBUSY warning to application and caused to potential leakage of kernel memory of AH structure. After that commit, the AH structure is always freed but such early return in driver code can potentially cause to use-after-free error. Add warning to catch such situation to help driver developers to fix AH release path. Signed-off-by: Leon Romanovsky --- drivers/infiniband/sw/rdmavt/ah.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.20.1 diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c index e6f7e4689d4d..0e147b32cbe9 100644 --- a/drivers/infiniband/sw/rdmavt/ah.c +++ b/drivers/infiniband/sw/rdmavt/ah.c @@ -141,8 +141,7 @@ void rvt_destroy_ah(struct ib_ah *ibah, u32 destroy_flags) struct rvt_ah *ah = ibah_to_rvtah(ibah); unsigned long flags; - if (atomic_read(&ah->refcount) != 0) - return; + WARN_ON_ONCE(atomic_read(&ah->refcount)); spin_lock_irqsave(&dev->n_ahs_lock, flags); dev->n_ahs_allocated--;