Date: Mon, 12 Jul 2021 13:09:44 GMT From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: c6ccb08686f3 - main - ibcore: Fix a use-after-free in ucma_resolve_ip(). Message-ID: <202107121309.16CD9i7U095178@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by hselasky: URL: https://cgit.FreeBSD.org/src/commit/?id=c6ccb08686f3b92c12778b4b903431b2ce71ec2c commit c6ccb08686f3b92c12778b4b903431b2ce71ec2c Author: Hans Petter Selasky <hselasky@FreeBSD.org> AuthorDate: 2021-06-16 13:01:47 +0000 Commit: Hans Petter Selasky <hselasky@FreeBSD.org> CommitDate: 2021-07-12 12:22:32 +0000 ibcore: Fix a use-after-free in ucma_resolve_ip(). There is a race condition between ucma_close() and ucma_resolve_ip(): CPU0 CPU1 ucma_resolve_ip(): ucma_close(): ctx = ucma_get_ctx(file, cmd.id); list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) { mutex_lock(&mut); idr_remove(&ctx_idr, ctx->id); mutex_unlock(&mut); ... mutex_lock(&mut); if (!ctx->closing) { mutex_unlock(&mut); rdma_destroy_id(ctx->cm_id); ... ucma_free_ctx(ctx); } ret = rdma_resolve_addr(); ucma_put_ctx(ctx); Before idr_remove(), ucma_get_ctx() could still find the ctx and after rdma_destroy_id(), rdma_resolve_addr() may still access id_priv pointer. Also, ucma_put_ctx() may use ctx after ucma_free_ctx() too. ucma_close() should call ucma_put_ctx() too which tests the refcnt and waits for the last one releasing it. The similar pattern is already used by ucma_destroy_id(). Linux commit: 5fe23f262e0548ca7f19fb79f89059a60d087d22 MFC after: 1 week Reviewed by: kib Sponsored by: Mellanox Technologies // NVIDIA Networking --- sys/ofed/drivers/infiniband/core/ib_ucma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/ofed/drivers/infiniband/core/ib_ucma.c b/sys/ofed/drivers/infiniband/core/ib_ucma.c index 19e4a17836ee..878e4d348234 100644 --- a/sys/ofed/drivers/infiniband/core/ib_ucma.c +++ b/sys/ofed/drivers/infiniband/core/ib_ucma.c @@ -1705,6 +1705,8 @@ static int ucma_close(struct inode *inode, struct file *filp) mutex_lock(&mut); if (!ctx->closing) { mutex_unlock(&mut); + ucma_put_ctx(ctx); + wait_for_completion(&ctx->comp); /* rdma_destroy_id ensures that no event handlers are * inflight for that id before releasing it. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107121309.16CD9i7U095178>