Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-20 18:11:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
f6a9d47ae6
linux/drivers/infiniband
History
Jason Gunthorpe f6a9d47ae6 RDMA/cma: Execute rdma_cm destruction from a handler properly 
When a rdma_cm_id needs to be destroyed after a handler callback fails,
part of the destruction pattern is open coded into each call site.

Unfortunately the blind assignment to state discards important information
needed to do cma_cancel_operation(). This results in active operations
being left running after rdma_destroy_id() completes, and the
use-after-free bugs from KASAN.

Consolidate this entire pattern into destroy_id_handler_unlock() and
manage the locking correctly. The state should be set to
RDMA_CM_DESTROYING under the handler_lock to atomically ensure no futher
handlers are called.

Link: https://lore.kernel.org/r/20200723070707.1771101-5-leon@kernel.org
Reported-by: syzbot+08092148130652a6faae@syzkaller.appspotmail.com
Reported-by: syzbot+a929647172775e335941@syzkaller.appspotmail.com
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2020-07-29 14:10:02 -03:00
..
core RDMA/cma: Execute rdma_cm destruction from a handler properly 2020-07-29 14:10:02 -03:00
hw RDMA/efa: Add EFA 0xefa1 PCI ID 2020-07-29 09:23:40 -03:00
sw RDMA/siw: Remove the query_pkey callback 2020-07-20 16:18:16 -03:00
ulp IB/srpt: use new shared CQ mechanism 2020-07-29 09:10:32 -03:00
Kconfig IB/uverbs: Enable CQ ioctl commands by default 2020-07-06 19:50:33 -03:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00