forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Shay Drory c5bf9f88f9 IB/mad: Fix use after free when destroying MAD agent 
commit 116a1b9f1c upstream.

Currently, when RMPP MADs are processed while the MAD agent is destroyed,
it could result in use after free of rmpp_recv, as decribed below:

	cpu-0						cpu-1
	-----						-----
ib_mad_recv_done()
 ib_mad_complete_recv()
  ib_process_rmpp_recv_wc()
						unregister_mad_agent()
						 ib_cancel_rmpp_recvs()
						  cancel_delayed_work()
   process_rmpp_data()
    start_rmpp()
     queue_delayed_work(rmpp_recv->cleanup_work)
						  destroy_rmpp_recv()
						   free_rmpp_recv()
     cleanup_work()[1]
      spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free

[1] cleanup_work() == recv_cleanup_handler

Fix it by waiting for the MAD agent reference count becoming zero before
calling to ib_cancel_rmpp_recvs().

Fixes: 9a41e38a46 ("IB/mad: Use IDR for agent IDs")
Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
Signed-off-by: Shay Drory <shayd@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-30 23:17:09 -04:00
..
accessibility
acpi ACPI: GED: use correct trigger type field in _Exx / _Lxx handling 2020-06-22 09:05:09 +02:00
amba
android binder: take read mode of mmap_sem in binder_alloc_free_page() 2020-05-02 17:25:48 +02:00
ata libata: Use per port sync for detach 2020-06-25 15:33:06 +02:00
atm fore200e: Fix incorrect checks of NULL pointer dereference 2020-02-24 08:34:42 +01:00
auxdisplay
base drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish 2020-06-25 15:32:55 +02:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block loop: replace kill_bdev with invalidate_bdev 2020-06-30 23:17:09 -04:00
bluetooth Bluetooth: hci_bcm: fix freeing not-requested IRQ 2020-06-22 09:05:26 +02:00
bus bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads 2020-04-17 10:48:37 +02:00
cdrom
char ipmi: use vzalloc instead of kmalloc for user creation 2020-06-25 15:32:57 +02:00
clk clk: sprd: return correct type of value for _sprd_pll_recalc_rate 2020-06-25 15:33:00 +02:00
clocksource clocksource: dw_apb_timer_of: Fix missing clockevent timers 2020-06-22 09:05:11 +02:00
connector
cpufreq cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once 2020-05-20 08:18:40 +02:00
cpuidle cpuidle: Fix three reference count leaks 2020-06-22 09:05:20 +02:00
crypto crypto: omap-sham - add proper load balancing support for multicore 2020-06-25 15:33:02 +02:00
dax
dca
devfreq Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" 2020-03-05 16:42:18 +01:00
dio
dma PCI: Move Rohm Vendor ID to generic list 2020-06-22 09:05:23 +02:00
dma-buf
edac EDAC/amd64: Add Family 17h Model 30h PCI IDs 2020-06-30 23:17:01 -04:00
eisa
extcon extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' 2020-06-25 15:33:01 +02:00
firewire
firmware firmware: qcom_scm: fix bogous abuse of dma-direct internals 2020-06-25 15:32:53 +02:00
fmc
fpga fpga: dfl: afu: Corrected error handling levels 2020-06-25 15:32:58 +02:00
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss gnss: sirf: fix error return code in sirf_probe() 2020-06-22 09:05:28 +02:00
gpio gpio: dwapb: Append MODULE_ALIAS for platform driver 2020-06-25 15:32:53 +02:00
gpu drm/i915/icl+: Fix hotplug interrupt disabling after storm detection 2020-06-25 15:33:09 +02:00
hid HID: Add quirks for Trust Panora Graphic Tablet 2020-06-25 15:32:56 +02:00
hsi
hv x86/Hyper-V: Report crash data in die() when panic_on_oops is set 2020-04-23 10:30:17 +02:00
hwmon hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs 2020-06-22 09:05:23 +02:00
hwspinlock
hwtracing intel_th: pci: Add Elkhart Lake CPU support 2020-03-25 08:06:11 +01:00
i2c i2c: tegra: Fix Maximum transfer size 2020-06-30 23:17:02 -04:00
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:34:49 +01:00
idle
iio iio: bmp280: fix compensation of humidity 2020-06-25 15:32:49 +02:00
infiniband IB/mad: Fix use after free when destroying MAD agent 2020-06-30 23:17:09 -04:00
input Input: synaptics - add a second working PNP_ID for Lenovo T470s 2020-06-22 09:05:00 +02:00
iommu iommu: Fix reference count leak in iommu_group_alloc. 2020-06-03 08:19:41 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip irqchip/mbigen: Free msi_desc on device teardown 2020-04-23 10:30:13 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: pca963x: Fix open-drain initialization 2020-02-24 08:34:35 +01:00
lightnvm lightnvm: pblk: fix lock order in pblk_rb_tear_down_check 2020-01-27 14:50:45 +01:00
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox mailbox: qcom-apcs: fix max_register value 2020-01-27 14:51:14 +01:00
mcb
md md: add feature flag MD_FEATURE_RAID0_LAYOUT 2020-06-25 15:33:10 +02:00
media media: ov5640: fix use of destroyed mutex 2020-06-22 09:05:27 +02:00
memory memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20 2020-01-27 14:50:13 +01:00
memstick
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:21:28 +01:00
mfd mfd: wm8994: Fix driver operation if loaded as modules 2020-06-25 15:32:50 +02:00
misc PCI: Add Synopsys endpoint EDDA Device ID 2020-06-22 09:05:24 +02:00
mmc mmc: sdhci-esdhc-imx: fix the mask for tuning start point 2020-06-22 09:05:20 +02:00
mtd mtd: rawnand: marvell: Fix the condition on a return code 2020-06-30 23:17:00 -04:00
mux
net net: phy: Check harder for errors in get_phy_id() 2020-06-30 23:17:06 -04:00
nfc NFC: st21nfca: add missed kfree_skb() in an error path 2020-06-10 21:34:59 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-25 15:33:03 +02:00
nubus
nvdimm libnvdimm: Fix endian conversion issues 2020-06-07 13:17:53 +02:00
nvme nvme: refine the Qemu Identify CNS quirk 2020-06-22 09:05:16 +02:00
nvmem nvmem: qfprom: remove incorrect write support 2020-06-10 21:35:00 +02:00
of of: Fix a refcounting bug in __of_attach_node_sysfs() 2020-06-25 15:33:00 +02:00
opp OPP: Fix missing debugfs supply directory for OPPs 2020-01-27 14:50:04 +01:00
oprofile
parisc
parport
pci PCI: dwc: Fix inner MSI IRQ domain registration 2020-06-25 15:32:58 +02:00
pcmcia
perf drivers/perf: hisi: Fix wrong value for all counters enable 2020-06-25 15:33:04 +02:00
phy phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval 2020-03-11 14:15:10 +01:00
pinctrl pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' 2020-06-25 15:33:01 +02:00
platform platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type 2020-06-22 09:05:20 +02:00
pnp
power power: supply: smb347-charger: IRQSTAT_D is volatile 2020-06-25 15:32:55 +02:00
powercap
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:21:35 +01:00
pwm pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case 2020-06-25 15:32:51 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:37:43 +02:00
ras
regulator regulator: rk808: Lower log level on optional GPIOs being not available 2020-02-24 08:34:40 +01:00
remoteproc remoteproc: Fix IDR initialisation in rproc_alloc() 2020-06-25 15:32:47 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:34:44 +01:00
rpmsg rpmsg: glink: Remove chunk size word align warning 2020-04-13 10:45:16 +02:00
rtc rtc: 88pm860x: fix possible race condition 2020-04-23 10:30:18 +02:00
s390 scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action 2020-06-30 23:17:08 -04:00
sbus
scsi scsi: acornscsi: Fix an error handling path in acornscsi_probe() 2020-06-25 15:33:05 +02:00
sfi
sh
siox
slimbus slimbus: ngd: get drvdata from correct device 2020-06-25 15:32:54 +02:00
sn
soc soc: imx: gpc: fix power up sequencing 2020-04-23 10:30:17 +02:00
soundwire
spi PCI: Move Rohm Vendor ID to generic list 2020-06-22 09:05:23 +02:00
spmi
ssb
staging mtd: rawnand: Pass a nand_chip object to nand_scan() 2020-06-25 15:33:07 +02:00
target scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd() 2020-06-25 15:32:59 +02:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 14:43:50 +00:00
thermal thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR 2020-06-25 15:32:54 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty tty: n_gsm: Fix bogus i++ in gsm_data_kick 2020-06-25 15:32:57 +02:00
uio uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() 2020-02-24 08:34:37 +01:00
usb cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip 2020-06-30 23:17:09 -04:00
uwb
vfio vfio/mdev: Fix reference count leak in add_mdev_supported_type 2020-06-25 15:33:01 +02:00
vhost vhost/vsock: fix packet delivery order to monitoring devices 2020-05-27 17:37:32 +02:00
video backlight: lp855x: Ensure regulators are disabled on probe failure 2020-06-25 15:32:48 +02:00
virt
virtio virtio_balloon: prevent pfn array overflow 2020-02-24 08:34:54 +01:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:34:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:34:47 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:05:30 +02:00
watchdog watchdog: da9062: No need to ping manually before setting timeout 2020-06-25 15:32:58 +02:00
xen xen/pvcalls-back: test for errors when calling backend_connect() 2020-06-22 09:05:09 +02:00
zorro
Kconfig
Makefile