Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp592857ybk; Wed, 13 May 2020 08:03:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzPl67NU6cu8RwnjEFmY/v040fEz0fT79AUB31fLIYroScC3iyR4NHbENy7O7Krm617jOap X-Received: by 2002:aa7:c9c9:: with SMTP id i9mr88226edt.166.1589382183847; Wed, 13 May 2020 08:03:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589382183; cv=none; d=google.com; s=arc-20160816; b=YRRDw0nW6X3zUM6DVnkILfYbjSaiDk0n0SHjW8Jib5SuLnUdO2NdQdKrcBsIzYy8g8 kCumDSY5qtFLKyuUydTIaRBqRrmhMomj7mfK52J2Sbh7D796DfhImx+QT5zsinqVxEi6 sEkhM4zx+TVAOdR426QnaKYSqjBQXfbSIBjXdxvJq3BNk/euGk1YS57MeDn+jfwVmiM9 8/G2WdkScNn6MGsAAob91pRj3eSY9/q6YcwKibzJTPHWBkYf4gcEMQCpsW6i4lAr4l5Y DBb/2gNEpmRfVmMH3JGjj/EgE7wa5hpDkxvu2w2nCsIrd7TxUAO+grY+ghOsWgCXwUw8 ucjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=B/gHhPk7GJKztNSGPOhSZp7Hv5EC8SrF1OhwpLwo69k=; b=aRlnu3aV641jDBgCz5isAloqiRBBK4pzdGzDpgIWngEp0ko3GSGBCJAd5jzUfPlF1T hGqNKAtZ6n4fa0I29Yz1Ow1rwPMpQus6gQNyhT4gFMbjAAH+SCET+SJFAx/rZVQ5MlJD LKbUUAQfPiHJPDdMJgtEp4l0dJYHJ7PWf/XGl4UUonR6HXo3jvv0OEXOqGARXyGTSwWI TjzO0J9iB/671ksZjztuSRmU8Duchi0299YjX14bzOtRxhbwT96MMIL6o6VAxxxJSKz7 wLX1RrTqVDrAOCWUPeUJ8wo8C00ilqqQMK383DWRvJbBsEQ9/4Mje5hkhG/ww1R3Qi7b MQnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=RSQKszL0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cc27si12037553edb.544.2020.05.13.08.02.34; Wed, 13 May 2020 08:03:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=RSQKszL0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389203AbgEMPA0 (ORCPT + 99 others); Wed, 13 May 2020 11:00:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41348 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389176AbgEMPAX (ORCPT ); Wed, 13 May 2020 11:00:23 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 140A3C061A0C for ; Wed, 13 May 2020 08:00:23 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id h26so26835qtu.8 for ; Wed, 13 May 2020 08:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=B/gHhPk7GJKztNSGPOhSZp7Hv5EC8SrF1OhwpLwo69k=; b=RSQKszL0u/dHGOGWPede1vpnwO2+X7WuJ5XWW9mGDiXbVHso5JIM3+lMkAxswpaxzu nSMI52fPr8vgSoyrlLtiJRX22kPsaBPYN1WKvtOcwq0Y4lc1qAJckq5wsuTU9y3w6xCM q3PfXwQgZfJL0gAdmWLQn+oyF8xGD9qKukhg9eU0+ZebQVkXswyOKLGzTEGQosxlDj3q +UNYBEFgjbOLnxjjGiEoq3t+3GY9pjHV8cz6dokNda72iGYOzaj4j7UBMQ2XVJsqizVb /dy3FYIn4dHBffEHQiIqFnQxSpu6WpzfTbYJQK0emGe8H7QIeU2Qf7wLQMdFrGJMfFcE RceA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=B/gHhPk7GJKztNSGPOhSZp7Hv5EC8SrF1OhwpLwo69k=; b=KuZ1u6AZzmoYbzcJs/axSOTjJn3oaN2xoX/iBiZr9SrPavpXHmSJfLJ8Rm4Rvgba+r w4ttm2HF053KDzPU99jQNass5h48/7seei2FHm48NXQbdwOxyVFBWH4C2TFNK4uZrbHP UnRZf19/LPdb/gabtGG/crHa9687jN3HmGXd4tatq9yDtMsV78X9TBNhXTJbN6Vh/4gP HbI1cNEyZ37mbZpqMOjCOUqPQJ0Qej1kpxH/IxxhUKxzIE23Uk+AXneBa9/S6VxSSRiG mUZ/wb9TRkO2F3gFFeDj+mTJRSFli4YjdkG9Waz58dah/e9KyNOhIYW1Ko6JPS+JTUNu B+MA== X-Gm-Message-State: AOAM533/1V9kjeThAh1/FOFUe3wyuaBXMJzVmEXR+rc4e88uyWHk+1s+ 03KQRKcgg6vysaaCtDLJ9ficiQ== X-Received: by 2002:ac8:714c:: with SMTP id h12mr2999879qtp.372.1589382022247; Wed, 13 May 2020 08:00:22 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-156-34-48-30.dhcp-dynamic.fibreop.ns.bellaliant.net. [156.34.48.30]) by smtp.gmail.com with ESMTPSA id c41sm16311260qta.96.2020.05.13.08.00.21 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 13 May 2020 08:00:21 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1jYsrt-0002QR-28; Wed, 13 May 2020 12:00:21 -0300 Date: Wed, 13 May 2020 12:00:21 -0300 From: Jason Gunthorpe To: Divya Indi Cc: linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, Kaike Wan , Gerd Rausch , =?utf-8?B?SMOla29u?= Bugge , Srinivas Eeda , Rama Nichanamatlu , Doug Ledford Subject: Re: [PATCH 1/2] IB/sa: Resolving use-after-free in ib_nl_send_msg. Message-ID: <20200513150021.GD29989@ziepe.ca> References: <1588876487-5781-1-git-send-email-divya.indi@oracle.com> <1588876487-5781-2-git-send-email-divya.indi@oracle.com> <20200508000809.GM26002@ziepe.ca> <33fc99e2-e9fc-3c8c-e47f-41535f514c2d@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <33fc99e2-e9fc-3c8c-e47f-41535f514c2d@oracle.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 11, 2020 at 02:26:30PM -0700, Divya Indi wrote: > >> @@ -1123,6 +1156,18 @@ int ib_nl_handle_resolve_resp(struct sk_buff *skb, > >> > >> send_buf = query->mad_buf; > >> > >> + /* > >> + * Make sure the IB_SA_NL_QUERY_SENT flag is set before > >> + * processing this query. If flag is not set, query can be accessed in > >> + * another context while setting the flag and processing the query will > >> + * eventually release it causing a possible use-after-free. > >> + */ > > This comment doesn't really make sense, flags insige the memory being > > freed inherently can't prevent use after free. > > I can definitely re-phrase here to make things clearer. But, the idea here is > in the unlikely/rare case where a response for a query comes in before the flag has been > set in ib_nl_make_request, we want to wait for the flag to be sent before proceeding. > The response handler will eventually release the query so this wait avoids that if the flag has not been set > else > "query->flags |= IB_SA_NL_QUERY_SENT;" > will be accessing a query which was freed due to the above mentioned race. > > It is unlikely since getting a response => We have actually sent out the query to ibacm. > > How about this - > > "Getting a response is indicative of having sent out the query, but in an unlikely race when > the response comes in before setting IB_SA_NL_QUERY_SENT, we need to wait till the flag is set to > avoid accessing a query that has been released." It still makes no sense, a flag that is set before freeing the memory is fundamentally useless to prevent races. Jason