Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2271420imm;
        Mon, 28 May 2018 05:09:24 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp8Zk/g9rBSWZZVMIsSWpDibmSL9OjkPv7+VhaBjUZ2WjZZHEmDpA70VlOfdiBDR1fUuTPH
X-Received: by 2002:a63:6ec6:: with SMTP id j189-v6mr10203510pgc.71.1527509364418;
        Mon, 28 May 2018 05:09:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527509364; cv=none;
        d=google.com; s=arc-20160816;
        b=zlulDYFbU9pwkKyuD0JSjpWbFeknevq3dqP46NMIE1Ziywe6HY4IoctNbdH4ZuuoXs
         z+15xgEeNR9b4n8YlexKo2Yq5Bxlpq/17mM8nsymEugJ/hzIA4hYm+WNpbdNiV1igAGw
         203xaAXcpHumcdphnUoS7jSt8UxHf6PCLMBIOA9UGzBev8vRX4QjMJcJL2iOjYPCSwhq
         b1B/UhJdRe49kWLKYdhlI8KS1M3B2ubPy79N97FscDqvPnDNDWUjo9dCNmFrkeriwFSz
         5RkhAClX3ZyTyPkrBsKh+yzfpep8IJDkn7Ro9RyZIajdSlhUmGa2boBVJVj48Kg6ARb/
         r1vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=tg2vqyAgIeHlUFAPgs1ixkjhDNgGiIvQM90zoJvW3tw=;
        b=qiqf5vWgDumEA/UjKyVMjj28gbC2olE2ckLsFCEWjqenRUEjUwG00vP73vAph2u/pK
         WbzlMd2VcVuKvvVTbcyBNjrBW9/KVXCgptdIxZ9Qd3XXFgGJYZDvEMqLT1csM1v/KXE+
         XTdQeV7HyisSibfpWZ8a5mjYNUkgmDsedJf3PfQ89Hw12pgrWTx7e1Hwv9DAdTI3eYcH
         Z16izScWNPrY31/uAnUwN10srjSIX89cfhG3y/2hx1BRQGIW7SavLvgqniugT3OQ4u5T
         80vi+BDfqId+G/AmEVoklqjj1fvD4a/BLTk1gqYUWiyIgZjYpma4kp3xt05uGh4+6/0M
         U5LA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lYuaKpGW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w22-v6si29152026pll.599.2018.05.28.05.09.09;
        Mon, 28 May 2018 05:09:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lYuaKpGW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S938545AbeE1MIY (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 08:08:24 -0400
Received: from mail.kernel.org ([198.145.29.99]:52154 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1423075AbeE1LFE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 07:05:04 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8E804208A1;
        Mon, 28 May 2018 11:05:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527505504;
        bh=HLjfFfNagHtoZ+BfmjOLCwypvfceZUHmbUSM/Gpb8AE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lYuaKpGWt3h41DjA36t3Psu3FwFYD1EIGVOKxTq5nUxRRl0J4+GV7MW6CU1lhJR78
         3OiBGyJ43piV2ztU8ezvcclBlJblrOHVe/hv9UZ57R2m++YmR1Qxl7biu8xYCteNtW
         0cetGSXBJMxFL2KHWZ5xcHUTd6e/J1MxynNOYZG4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Mike Marciniszyn <mike.marciniszyn@intel.com>,
        Dennis Dalessandro <dennis.dalessandro@intel.com>,
        "Michael J. Ruhl" <michael.j.ruhl@intel.com>,
        Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.16 027/272] IB/hfi1: Use after free race condition in send context error path
Date:   Mon, 28 May 2018 12:01:00 +0200
Message-Id: <20180528100242.902607136@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100240.256525891@linuxfoundation.org>
References: <20180528100240.256525891@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael J. Ruhl <michael.j.ruhl@intel.com>

commit f9e76ca3771bf23d2142a81a88ddd8f31f5c4c03 upstream.

A pio send egress error can occur when the PSM library attempts to
to send a bad packet.  That issue is still being investigated.

The pio error interrupt handler then attempts to progress the recovery
of the errored pio send context.

Code inspection reveals that the handling lacks the necessary locking
if that recovery interleaves with a PSM close of the "context" object
contains the pio send context.

The lack of the locking can cause the recovery to access the already
freed pio send context object and incorrectly deduce that the pio
send context is actually a kernel pio send context as shown by the
NULL deref stack below:

[<ffffffff8143d78c>] _dev_info+0x6c/0x90
[<ffffffffc0613230>] sc_restart+0x70/0x1f0 [hfi1]
[<ffffffff816ab124>] ? __schedule+0x424/0x9b0
[<ffffffffc06133c5>] sc_halted+0x15/0x20 [hfi1]
[<ffffffff810aa3ba>] process_one_work+0x17a/0x440
[<ffffffff810ab086>] worker_thread+0x126/0x3c0
[<ffffffff810aaf60>] ? manage_workers.isra.24+0x2a0/0x2a0
[<ffffffff810b252f>] kthread+0xcf/0xe0
[<ffffffff810b2460>] ? insert_kthread_work+0x40/0x40
[<ffffffff816b8798>] ret_from_fork+0x58/0x90
[<ffffffff810b2460>] ? insert_kthread_work+0x40/0x40

This is the best case scenario and other scenarios can corrupt the
already freed memory.

Fix by adding the necessary locking in the pio send context error
handler.

Cc: <stable@vger.kernel.org> # 4.9.x
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/chip.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/infiniband/hw/hfi1/chip.c
+++ b/drivers/infiniband/hw/hfi1/chip.c
@@ -5944,6 +5944,7 @@ static void is_sendctxt_err_int(struct h
 	u64 status;
 	u32 sw_index;
 	int i = 0;
+	unsigned long irq_flags;
 
 	sw_index = dd->hw_to_sw[hw_context];
 	if (sw_index >= dd->num_send_contexts) {
@@ -5953,10 +5954,12 @@ static void is_sendctxt_err_int(struct h
 		return;
 	}
 	sci = &dd->send_contexts[sw_index];
+	spin_lock_irqsave(&dd->sc_lock, irq_flags);
 	sc = sci->sc;
 	if (!sc) {
 		dd_dev_err(dd, "%s: context %u(%u): no sc?\n", __func__,
 			   sw_index, hw_context);
+		spin_unlock_irqrestore(&dd->sc_lock, irq_flags);
 		return;
 	}
 
@@ -5978,6 +5981,7 @@ static void is_sendctxt_err_int(struct h
 	 */
 	if (sc->type != SC_USER)
 		queue_work(dd->pport->hfi1_wq, &sc->halt_work);
+	spin_unlock_irqrestore(&dd->sc_lock, irq_flags);
 
 	/*
 	 * Update the counters for the corresponding status bits.