Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3009092imm;
        Sun, 1 Jul 2018 10:12:46 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIobg3n1m2oRKbiXxi6nqTVx4F9glaSRuUVMZxLyEcXl32WTuixf9Z7K/Gvb+XL7/biDoP6
X-Received: by 2002:a17:902:e3:: with SMTP id a90-v6mr23196288pla.227.1530465166474;
        Sun, 01 Jul 2018 10:12:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530465166; cv=none;
        d=google.com; s=arc-20160816;
        b=0MiRfUZv44Zr/X9Komz+WUv8+6OhpeiDFTLe0JWydkb8f5/jlR/BnIguUtZF7cAWGH
         vZ1Feg5dU60e+zP5m73oaGDIYORRSHfvLpERiFsg71UNrlbbudx4AWLXt1II52RBtv7n
         y2P6ya4QpEO09i/5DJum7XJw8u6iNem/eOyq3L1sRZWNB45SUNs4cGjxttl/P+0qG/Cy
         lkWFgUygKjQzj4OxvKNB2noPP0r75OkWGvuHurfHShppiQDUvVylrB78pqIKplXkkGde
         RDHeJNzSF2UngjQ5a+Qtjp20GW6+t+7SUDDL5Gpwb8MjwRL47aRPDXGQYR6bTDe41dms
         TMtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=IFS1WouXlu8O5fUc6VYq2qIHqltVxBe51aU09iTVims=;
        b=NR6dElzX9+1ecpzI5+9xVcazaoqIrcFScgc+DyG4rEHkFwbg0z0kBRNfJ1KfrLTo8b
         TPSi6xmnUvSVNOA1zrSCGrRloNywz2Neqt2ymb3fE71SHaRk+nN9A52VVyqXP4X0IcI9
         5pSNgFXoeFjgpj7PLH1M/YhRPj4Q2fqs7tY0ouo6+U3Or5mTDnaZXh2X25ZVd96ANjUb
         1VsoqfPbNrVl8YzwG5mirOoofuwSo8SZFHQPGDtjvhv8lQFe6SYpYmGtxkCQ8H0FQP7M
         mCNmmBOjMAARAJYqE3CGIpyF3MRzDMXSYkEvv951clKDS+EishOEUCAEVyTcitagpQ79
         OhUA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u4-v6si10538102plz.354.2018.07.01.10.12.32;
        Sun, 01 Jul 2018 10:12:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1031985AbeGAQk5 (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Sun, 1 Jul 2018 12:40:57 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:37266 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1031568AbeGAQky (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Jul 2018 12:40:54 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id D3309ACC;
        Sun,  1 Jul 2018 16:40:53 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Mark Bloch <markb@mellanox.com>,
        Jason Gunthorpe <jgg@mellanox.com>,
        Leon Romanovsky <leonro@mellanox.com>
Subject: [PATCH 4.17 095/220] IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write
Date:   Sun,  1 Jul 2018 18:21:59 +0200
Message-Id: <20180701160912.380230391@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180701160908.272447118@linuxfoundation.org>
References: <20180701160908.272447118@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Gunthorpe <jgg@mellanox.com>

commit 1eb9364ce81d9445ad6f9d44921a91d2a6597156 upstream.

During disassociation the ucontext will become NULL, however due to how
the SRCU locking works the ucontext must only be examined after looking
at the ib_dev, which governs the RCU control flow.

With the wrong ordering userspace will see EINVAL instead of EIO for a
disassociated uverbs FD, which breaks rdma-core.

Cc: stable@vger.kernel.org
Fixes: 491d5c6a3023 ("RDMA/uverbs: Move uncontext check before SRCU read lock")
Reported-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/uverbs_main.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -734,10 +734,6 @@ static ssize_t ib_uverbs_write(struct fi
 	if (ret)
 		return ret;
 
-	if (!file->ucontext &&
-	    (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended))
-		return -EINVAL;
-
 	if (extended) {
 		if (count < (sizeof(hdr) + sizeof(ex_hdr)))
 			return -EINVAL;
@@ -757,6 +753,16 @@ static ssize_t ib_uverbs_write(struct fi
 		goto out;
 	}
 
+	/*
+	 * Must be after the ib_dev check, as once the RCU clears ib_dev ==
+	 * NULL means ucontext == NULL
+	 */
+	if (!file->ucontext &&
+	    (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	if (!verify_command_mask(ib_dev, command, extended)) {
 		ret = -EOPNOTSUPP;
 		goto out;