• Erez Shitrit's avatar
    IB/ipoib: Fix memory corruption in ipoib cm mode connect flow · 48ee2369
    Erez Shitrit authored
    BugLink: http://bugs.launchpad.net/bugs/1631468
    
    commit 546481c2 upstream.
    
    When a new CM connection is being requested, ipoib driver copies data
    from the path pointer in the CM/tx object, the path object might be
    invalid at the point and memory corruption will happened later when now
    the CM driver will try using that data.
    
    The next scenario demonstrates it:
    	neigh_add_path --> ipoib_cm_create_tx -->
    	queue_work (pointer to path is in the cm/tx struct)
    	#while the work is still in the queue,
    	#the port goes down and causes the ipoib_flush_paths:
    	ipoib_flush_paths --> path_free --> kfree(path)
    	#at this point the work scheduled starts.
    	ipoib_cm_tx_start --> copy from the (invalid)path pointer:
    	(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
    	 -> memory corruption.
    
    To fix that the driver now starts the CM/tx connection only if that
    specific path exists in the general paths database.
    This check is protected with the relevant locks, and uses the gid from
    the neigh member in the CM/tx object which is valid according to the ref
    count that was taken by the CM/tx.
    
    Fixes: 839fcaba ('IPoIB: Connected mode experimental support')
    Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
    Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
    Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
    48ee2369
ipoib_cm.c 42.4 KB