On Sun, Jun 21, 2020 at 01:47:35PM +0300, Leon Romanovsky wrote:
> From: Shay Drory <shayd@xxxxxxxxxxxx>
>
> Currently, when RMPP MADs are processed while the MAD agent is
> destroyed, it could result in use after free of rmpp_recv, as
> decribed below:
>
> cpu-0 cpu-1
> ----- -----
> ib_mad_recv_done()
> ib_mad_complete_recv()
> ib_process_rmpp_recv_wc()
> unregister_mad_agent()
> ib_cancel_rmpp_recvs()
> cancel_delayed_work()
> process_rmpp_data()
> start_rmpp()
> queue_delayed_work(rmpp_recv->cleanup_work)
> destroy_rmpp_recv()
> free_rmpp_recv()
> cleanup_work()[1]
> spin_lock_irqsave(&rmpp_recv->agent->lock)->use after free
>
> [1] cleanup_work() == recv_cleanup_handler
>
> Fix it by waiting for the MAD agent reference count becoming zero before
> calling to ib_cancel_rmpp_recvs().
>
> Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
> Signed-off-by: Shay Drory <shayd@xxxxxxxxxxxx>
> Reviewed-by: Maor Gottlieb <maorg@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> ---
> drivers/infiniband/core/mad.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc thanks
Jason
