Patch "IB/mad: Fix use after free when destroying MAD agent" has been added to the 4.19-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    IB/mad: Fix use after free when destroying MAD agent

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a0a00dc6afcd7429de3b9d8d8b67a01a28d21ec1
Author: Shay Drory <shayd@xxxxxxxxxxxx>
Date:   Sun Jun 21 13:47:35 2020 +0300

    IB/mad: Fix use after free when destroying MAD agent
    
    [ Upstream commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e ]
    
    Currently, when RMPP MADs are processed while the MAD agent is destroyed,
    it could result in use after free of rmpp_recv, as decribed below:
    
            cpu-0                                           cpu-1
            -----                                           -----
    ib_mad_recv_done()
     ib_mad_complete_recv()
      ib_process_rmpp_recv_wc()
                                                    unregister_mad_agent()
                                                     ib_cancel_rmpp_recvs()
                                                      cancel_delayed_work()
       process_rmpp_data()
        start_rmpp()
         queue_delayed_work(rmpp_recv->cleanup_work)
                                                      destroy_rmpp_recv()
                                                       free_rmpp_recv()
         cleanup_work()[1]
          spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free
    
    [1] cleanup_work() == recv_cleanup_handler
    
    Fix it by waiting for the MAD agent reference count becoming zero before
    calling to ib_cancel_rmpp_recvs().
    
    Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
    Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@xxxxxxxxxx
    Signed-off-by: Shay Drory <shayd@xxxxxxxxxxxx>
    Reviewed-by: Maor Gottlieb <maorg@xxxxxxxxxxxx>
    Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index fd0a2fd8bfdf7..a36b3b4f5c0a2 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -615,10 +615,10 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv)
 	idr_unlock(&ib_mad_clients);
 
 	flush_workqueue(port_priv->wq);
-	ib_cancel_rmpp_recvs(mad_agent_priv);
 
 	deref_mad_agent(mad_agent_priv);
 	wait_for_completion(&mad_agent_priv->comp);
+	ib_cancel_rmpp_recvs(mad_agent_priv);
 
 	ib_mad_agent_security_cleanup(&mad_agent_priv->agent);