linux/drivers/infiniband/core
Parav Pandit 5c5702e259 RDMA/core: Set right entry state before releasing reference
Currently add_modify_gid() for IB link layer has followong issue
in cache update path.

When GID update event occurs, core releases reference to the GID
table without updating its state and/or entry pointer.

CPU-0                              CPU-1
------                             -----
ib_cache_update()                    IPoIB ULP
   add_modify_gid()                   [..]
      put_gid_entry()
      refcnt = 0, but
      state = valid,
      entry is valid.
      (work item is not yet executed).
                                   ipoib_create_ah()
                                     rdma_create_ah()
                                        rdma_get_gid_attr() <--
                                   	Tries to acquire gid_attr
                                        which has refcnt = 0.
                                   	This is incorrect.

GID entry state and entry pointer is provides the accurate GID enty
state. Such fields must be updated with rwlock to protect against
readers and, such fields must be in sane state before refcount can drop
to zero. Otherwise above race condition can happen leading to
use-after-free situation.

Following backtrace has been observed when cache update for an IB port
is triggered while IPoIB ULP is creating an AH.

Therefore, when updating GID entry, first mark a valid entry as invalid
through state and set the barrier so that no callers can acquired
the GID entry, followed by release reference to it.

refcount_t: increment on 0; use-after-free.
WARNING: CPU: 4 PID: 29106 at lib/refcount.c:153 refcount_inc_checked+0x30/0x50
Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:refcount_inc_checked+0x30/0x50
RSP: 0018:ffff8802ad36f600 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000008 RDI: ffffffff86710100
RBP: ffff8802d6e60a30 R08: ffffed005d67bf8b R09: ffffed005d67bf8b
R10: 0000000000000001 R11: ffffed005d67bf8a R12: ffff88027620cee8
R13: ffff8802d6e60988 R14: ffff8802d6e60a78 R15: 0000000000000202
FS: 0000000000000000(0000) GS:ffff8802eb200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3ab35e5c88 CR3: 00000002ce84a000 CR4: 00000000000006e0
IPv6: ADDRCONF(NETDEV_CHANGE): ib1: link becomes ready
Call Trace:
rdma_get_gid_attr+0x220/0x310 [ib_core]
? lock_acquire+0x145/0x3a0
rdma_fill_sgid_attr+0x32c/0x470 [ib_core]
rdma_create_ah+0x89/0x160 [ib_core]
? rdma_fill_sgid_attr+0x470/0x470 [ib_core]
? ipoib_create_ah+0x52/0x260 [ib_ipoib]
ipoib_create_ah+0xf5/0x260 [ib_ipoib]
ipoib_mcast_join_complete+0xbbe/0x2540 [ib_ipoib]

Fixes: b150c3862d ("IB/core: Introduce GID entry reference counts")
Signed-off-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>

Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-09-25 15:01:09 -06:00
..
addr.c RDMA/core: Constify dst_addr argument 2018-07-30 20:49:04 -06:00
agent.c
agent.h
cache.c RDMA/core: Set right entry state before releasing reference 2018-09-25 15:01:09 -06:00
cgroup.c
cm_msgs.h IB/cm: Remove unused and erroneous msg sequence encoding 2018-07-09 11:39:28 -06:00
cm.c IB/core: Introduce and use sgid_attr in CM requests 2018-07-26 09:47:47 -06:00
cma_configfs.c IB/cma: use strlcpy() instead of strncpy() 2018-01-15 15:33:21 -07:00
cma_priv.h RDMA/cma: Move rdma_cm_state to cma_priv.h 2018-03-29 13:54:21 -06:00
cma.c RDMA/cma: Protect cma dev list with lock 2018-09-06 13:01:59 -06:00
core_priv.h IB/core: Change filter function return type from int to bool 2018-08-15 13:33:20 -06:00
cq.c RDMA/core: Reduce poll batch for direct cq polling 2018-03-06 20:08:39 -07:00
device.c RDMA/core: Remove {create,destroy}_ah from mandatory verbs 2018-07-30 20:31:09 -06:00
fmr_pool.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
iwcm.c RDMA/netlink: Fix general protection fault 2017-12-07 15:28:07 -05:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Properly mark end of NL messages 2017-09-29 11:32:42 -04:00
iwpm_util.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
iwpm_util.h
mad_priv.h IB/mad: Use IDR for agent IDs 2018-06-18 11:22:54 -06:00
mad_rmpp.c
mad_rmpp.h
mad.c RDMA/core: Simplify ib_post_(send|recv|srq_recv)() calls 2018-07-24 16:06:36 -06:00
Makefile IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
mr_pool.c
multicast.c IB: Make ib_init_ah_from_mcmember set sgid_attr 2018-06-25 14:19:56 -06:00
netlink.c RDMA/netlink: Simplify code of autoload modules 2018-01-02 13:36:57 -07:00
nldev.c RDMA/nldev: Return port capability flag for IB only 2018-06-18 11:09:05 -06:00
opa_smi.h
packer.c
rdma_core.c IB/core: Release object lock if destroy failed 2018-09-04 15:07:55 -06:00
rdma_core.h IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
restrack.c RDMA/restrack: Change SPDX tag to properly reflect license 2018-06-05 14:04:20 -06:00
roce_gid_mgmt.c IB/core: Change filter function return type from int to bool 2018-08-15 13:33:20 -06:00
rw.c RDMA/core: Simplify ib_post_(send|recv|srq_recv)() calls 2018-07-24 16:06:36 -06:00
sa_query.c RDMA: Validate grh_required when handling AVs 2018-07-10 11:13:04 -06:00
sa.h
security.c IB/core: Use CONFIG_SECURITY_INFINIBAND to compile out security code 2018-05-01 11:16:36 -04:00
smi.c
smi.h
sysfs.c IB/core: Replace ib_query_gid with rdma_get_gid_attr 2018-06-18 11:09:05 -06:00
ucm.c IB/ucm: Fix compiling ucm.c 2018-08-13 20:04:37 -06:00
ucma.c ucma: fix a use-after-free in ucma_resolve_ip() 2018-09-13 13:04:13 -04:00
ud_header.c
umem_odp.c mm, oom: distinguish blockable mode for mmu notifiers 2018-08-22 10:52:44 -07:00
umem.c RDMA/umem: Refactor exit paths in ib_umem_get 2018-07-13 12:15:05 -06:00
user_mad.c IB: Make ib_init_ah_attr_from_wc set sgid_attr 2018-06-25 14:19:56 -06:00
uverbs_cmd.c RDMA/uverbs: Fix validity check for modify QP 2018-09-20 16:47:30 -06:00
uverbs_ioctl.c IB/uverbs: Do not check for device disassociation during ioctl 2018-08-13 09:17:19 -06:00
uverbs_main.c RDMA/uverbs: Atomically flush and mark closed the comp event queue 2018-09-12 15:43:15 -06:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_counters.c IB/uverbs: Use uverbs_alloc for allocations 2018-08-13 09:16:13 -06:00
uverbs_std_types_cq.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_dm.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_flow_action.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types_mr.c IB/uverbs: Do not pass struct ib_device to the ioctl methods 2018-08-01 14:55:48 -06:00
uverbs_std_types.c IB/uverbs: Remove the ib_uverbs_attr pointer from each attr 2018-08-10 16:06:24 -06:00
uverbs_uapi.c IB/uverbs: Free uapi on destroy 2018-09-25 14:47:33 -06:00
uverbs.h IB/uverbs: Remove struct uverbs_root_spec and all supporting code 2018-08-13 09:17:19 -06:00
verbs.c Linux 4.18 2018-08-16 13:12:00 -06:00