Skip to content

Commit

Permalink
RDMA/rdmavt: Catch use-after-free access of AH structures
Browse files Browse the repository at this point in the history 
Prior to commit d345691 ("RDMA: Handle AH allocations by IB/core"),
AH destroy path is rdmavt returned -EBUSY warning to application and
caused to potential leakage of kernel memory of AH structure.

After that commit, the AH structure is always freed but such early return
in driver code can potentially cause to use-after-free error.

Add warning to catch such situation to help driver developers to fix AH
release path.

Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
  • Loading branch information
Leon Romanovsky authored and Jason Gunthorpe committed May 6, 2019
1 parent 943bd98 commit 3a4ef2e
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions drivers/infiniband/sw/rdmavt/ah.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,7 @@ void rvt_destroy_ah(struct ib_ah *ibah, u32 destroy_flags)
struct rvt_ah *ah = ibah_to_rvtah(ibah);
unsigned long flags;

if (atomic_read(&ah->refcount) != 0)
return;
WARN_ON_ONCE(atomic_read(&ah->refcount));

spin_lock_irqsave(&dev->n_ahs_lock, flags);
dev->n_ahs_allocated--;
Expand Down

0 comments on commit 3a4ef2e

Please sign in to comment.