On Fri, Oct 16, 2020 at 12:01:48PM -0500, Bob Pearson wrote:
>
> +static struct ib_ah *get_ah_from_handle(struct rxe_qp *qp, u32 handle)
> +{
> + struct ib_uverbs_file *ufile;
> + struct uverbs_api *uapi;
> + const struct uverbs_api_object *type;
> + struct ib_uobject *uobj;
> +
> + ufile = qp->ibqp.uobject->uevent.uobject.ufile;
> + uapi = ufile->device->uapi;
> + type = uapi_get_object(uapi, UVERBS_OBJECT_AH);
> + if (IS_ERR(type))
> + return NULL;
> + uobj = rdma_lookup_get_uobject(type, ufile, (s64)handle,
> + UVERBS_LOOKUP_READ, NULL);
> + if (IS_ERR(uobj)) {
> + pr_warn("unable to lookup ah handle\n");
> + return NULL;
> + }
> +
> + rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_READ);
It can't be put and then return the data pointer, it is a use after free:
> + return uobj->object;
> @@ -562,11 +563,6 @@ static int init_send_wqe(struct rxe_qp *qp, const struct ib_send_wr *ibwr,
>
> init_send_wr(qp, &wqe->wr, ibwr);
>
> - if (qp_type(qp) == IB_QPT_UD ||
> - qp_type(qp) == IB_QPT_SMI ||
> - qp_type(qp) == IB_QPT_GSI)
> - memcpy(&wqe->av, &to_rah(ud_wr(ibwr)->ah)->av, sizeof(wqe->av));
It needs some kind of negotiated compat, can't just break userspace
like this
Jason
