iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/infiniband/core
History
Jason Gunthorpe f6a9d47ae6 RDMA/cma: Execute rdma_cm destruction from a handler properly 
When a rdma_cm_id needs to be destroyed after a handler callback fails,
part of the destruction pattern is open coded into each call site.

Unfortunately the blind assignment to state discards important information
needed to do cma_cancel_operation(). This results in active operations
being left running after rdma_destroy_id() completes, and the
use-after-free bugs from KASAN.

Consolidate this entire pattern into destroy_id_handler_unlock() and
manage the locking correctly. The state should be set to
RDMA_CM_DESTROYING under the handler_lock to atomically ensure no futher
handlers are called.

Link: https://lore.kernel.org/r/20200723070707.1771101-5-leon@kernel.org
Reported-by: syzbot+08092148130652a6faae@syzkaller.appspotmail.com
Reported-by: syzbot+a929647172775e335941@syzkaller.appspotmail.com
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2020-07-29 14:10:02 -03:00
..
addr.c
RDMA/addr: Mark addr_resolve as might_sleep()
2020-05-12 21:32:52 -03:00
agent.c
RDMA: Mark if destroy address handle is in a sleepable context
2018-12-19 16:28:03 -07:00
agent.h
cache.c
RDMA/core: Allocate the pkey cache only if the pkey_tbl_len is set
2020-07-20 16:18:16 -03:00
cgroup.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288
2019-06-05 17:36:37 +02:00
cm_msgs.h
RDMA/cm: Remove CM message structs
2020-01-25 15:11:37 -04:00
cm.c
RDMA/cm: Spurious WARNING triggered in cm_destroy_id()
2020-06-03 15:48:18 -03:00
cma_configfs.c
IB/cma: Fix ports memory leak in cma_configfs
2020-05-22 15:37:19 -03:00
cma_priv.h
RDMA/ucma: Extend ucma_connect to receive ECE parameters
2020-05-27 16:05:05 -03:00
cma_trace.c
RDMA/cma: Add trace points in RDMA Connection Manager
2020-01-07 16:10:53 -04:00
cma_trace.h
RDMA/core: Move and rename trace_cm_id_create()
2020-06-02 20:32:54 -03:00
cma.c
RDMA/cma: Execute rdma_cm destruction from a handler properly
2020-07-29 14:10:02 -03:00
core_priv.h
RDMA/core: Introduce shared CQ pool API
2020-05-29 16:09:02 -03:00
counters.c
RDMA/counter: Allow manually bind QPs with different pids to same counter
2020-07-10 16:50:53 -03:00
cq.c
RDMA/core: Introduce shared CQ pool API
2020-05-29 16:09:02 -03:00
device.c
RDMA/core: Remove query_pkey from the mandatory ops
2020-07-20 16:18:16 -03:00
ib_core_uverbs.c
RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence
2020-01-25 14:48:33 -04:00
iwcm.c
RDMA/iwcm: Fix iwcm work deallocation
2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c
RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"
2019-08-27 13:09:23 -03:00
iwpm_util.c
RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"
2019-08-27 13:09:23 -03:00
iwpm_util.h
infiniband: fix core/ipwm_util.h kernel-doc warnings
2019-10-22 14:45:31 -03:00
lag.c
RDMA/core: Consider flow label when building skb
2020-05-06 16:51:43 -03:00
mad_priv.h
IB/mad: Change atomics to refcount API
2020-06-24 16:43:45 -03:00
mad_rmpp.c
IB/mad: Delete RMPP_STATE_CANCELING state
2020-06-24 16:43:45 -03:00
mad_rmpp.h
mad.c
IB/mad: Change atomics to refcount API
2020-06-24 16:43:45 -03:00
Makefile
RDMA/core: Remove FMR pool API
2020-06-02 20:32:53 -03:00
mr_pool.c
Linux 5.2-rc6
2019-06-28 21:18:23 -03:00
multicast.c
RDMA: Allow ib_client's to fail when add() is called
2020-05-06 11:57:33 -03:00
netlink.c
IB/core: Avoid deadlock during netlink message handling
2019-10-24 20:49:37 -03:00
nldev.c
RDMA/counter: Add PID category support in auto mode
2020-07-10 16:50:53 -03:00
opa_smi.h
RDMA: Start use ib_device_ops
2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c
RDMA 5.8 merge window pull request
2020-06-05 14:05:57 -07:00
rdma_core.h
IB/uverbs: Introduce create/destroy QP commands over ioctl
2020-05-21 20:39:36 -03:00
restrack.c
RDMA/restrack: Remove PID namespace support
2019-10-23 15:58:31 -03:00
restrack.h
RDMA/restrack: Remove PID namespace support
2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c
drivers: use in_dev_for_each_ifa_rtnl/rcu
2019-06-02 18:06:26 -07:00
rw.c
RDMA/rw: use DIV_ROUND_UP to calculate nr_ops
2020-04-15 11:34:49 -03:00
sa_query.c
RDMA/core: Use sizeof_field() helper
2020-05-27 13:46:05 -03:00
sa.h
RDMA/core: Annotate timeout as unsigned long
2018-10-16 13:34:01 -04:00
security.c
RDMA/core: Ensure security pkey modify is not lost
2020-03-24 19:53:25 -03:00
smi.c
smi.h
RDMA: Start use ib_device_ops
2018-12-12 07:40:16 -07:00
sysfs.c
RDMA/core: Expose pkeys sysfs files only if pkey_tbl_len is set
2020-07-20 16:18:16 -03:00
trace.c
RDMA/core: Clean up tracepoint headers
2020-07-06 14:54:46 -03:00
ucma.c
RDMA/cma: Provide ECE reject reason
2020-05-27 16:05:05 -03:00
ud_header.c
RDMA/core: Use sizeof_field() helper
2020-05-27 13:46:05 -03:00
umem_odp.c
RDMA: Correct trivial kernel-doc inconsistencies
2020-06-22 11:57:39 -03:00
umem.c
RDMA/core: Add weak ordering dma attr to dma mapping
2020-02-13 13:38:02 -04:00
user_mad.c
RDMA: Allow ib_client's to fail when add() is called
2020-05-06 11:57:33 -03:00
uverbs_cmd.c
RDMA/uverbs: Silence shiftTooManyBitsSigned warning
2020-07-24 16:53:02 -03:00
uverbs_ioctl.c
RDMA/mlx5: Implement the query ucontext functionality
2020-07-06 19:50:33 -03:00
uverbs_main.c
RDMA/core: Align abort/commit object scheme for write() and ioctl() paths
2020-07-24 15:57:22 -03:00
uverbs_marshall.c
IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *'
2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c
RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj
2020-05-12 17:02:25 -03:00
uverbs_std_types_counters.c
RDMA/core: Create and destroy counters in the ib_core
2020-07-06 20:04:40 -03:00
uverbs_std_types_cq.c
IB/uverbs: Enable CQ ioctl commands by default
2020-07-06 19:50:33 -03:00
uverbs_std_types_device.c
RDMA/core: Align abort/commit object scheme for write() and ioctl() paths
2020-07-24 15:57:22 -03:00
uverbs_std_types_dm.c
IB: When attrs.udata/ufile is available use that instead of uobject
2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c
IB: When attrs.udata/ufile is available use that instead of uobject
2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c
RDMA/mlx5: Add missing srcu_read_lock in ODP implicit flow
2020-07-24 16:44:06 -03:00
uverbs_std_types_qp.c
IB/uverbs: Introduce create/destroy QP commands over ioctl
2020-05-21 20:39:36 -03:00
uverbs_std_types_srq.c
IB/uverbs: Introduce create/destroy SRQ commands over ioctl
2020-05-21 20:39:35 -03:00
uverbs_std_types_wq.c
IB/uverbs: Introduce create/destroy WQ commands over ioctl
2020-05-21 20:39:35 -03:00
uverbs_std_types.c
IB/uverbs: Introduce create/destroy QP commands over ioctl
2020-05-21 20:39:36 -03:00
uverbs_uapi.c
IB/uverbs: Introduce create/destroy QP commands over ioctl
2020-05-21 20:39:36 -03:00
uverbs.h
IB/uverbs: Extend CQ to get its own asynchronous event FD
2020-05-21 20:34:53 -03:00
verbs.c
RDMA/core: Fix return error value in _ib_modify_qp() to negative
2020-07-27 12:13:34 -03:00