RDMA/rdmavt: Catch use-after-free access of AH structures

Prior to commit d3456914 ("RDMA: Handle AH allocations by IB/core"), AH destroy path is rdmavt returned -EBUSY warning to application and caused to potential leakage of kernel memory of AH structure. After that commit, the AH structure is always freed but such early return in driver code can potentially cause to use-after-free error. Add warning to catch such situation to help driver developers to fix AH release path. Signed-off-by: N Leon Romanovsky <leonro@mellanox.com> Signed-off-by: N Jason Gunthorpe <jgg@mellanox.com>

RDMA/rdmavt: Catch use-after-free access of AH structures
Prior to commit d3456914 ("RDMA: Handle AH allocations by IB/core"), AH destroy path is rdmavt returned -EBUSY warning to application and caused to potential leakage of kernel memory of AH structure. After that commit, the AH structure is always freed but such early return in driver code can potentially cause to use-after-free error. Add warning to catch such situation to help driver developers to fix AH release path. Signed-off-by: N Leon Romanovsky <leonro@mellanox.com> Signed-off-by: N Jason Gunthorpe <jgg@mellanox.com>
3a4ef2e2 · Leon Romanovsky · Jason Gunthorpe · 943bd984 · 3a4ef2e2
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

drivers/infiniband/sw/rdmavt/ah.c drivers/infiniband/sw/rdmavt/ah.c +1 -2

未找到文件。
--- a/drivers/infiniband/sw/rdmavt/ah.c
+++ b/drivers/infiniband/sw/rdmavt/ah.c
@@ -141,8 +141,7 @@ void rvt_destroy_ah(struct ib_ah *ibah, u32 destroy_flags)
 	struct rvt_ah *ah = ibah_to_rvtah(ibah);
 	unsigned long flags;

-	if (atomic_read(&ah->refcount) != 0)
-		return;
+	WARN_ON_ONCE(atomic_read(&ah->refcount));

 	spin_lock_irqsave(&dev->n_ahs_lock, flags);
 	dev->n_ahs_allocated--;