summaryrefslogtreecommitdiff
path: root/drivers/infiniband/sw
diff options
context:
space:
mode:
authorLeon Romanovsky <leonro@mellanox.com>2019-04-16 15:13:10 +0300
committerJason Gunthorpe <jgg@mellanox.com>2019-05-06 18:06:54 +0300
commit3a4ef2e2b5cf9a34bcc66c0d33f7eba180a14535 (patch)
tree78f5e39aff67d8d18ab430d69b20e281af673439 /drivers/infiniband/sw
parent943bd984b108b3bb778790c2da4ae8d186b547e6 (diff)
downloadlinux-3a4ef2e2b5cf9a34bcc66c0d33f7eba180a14535.tar.xz
RDMA/rdmavt: Catch use-after-free access of AH structures
Prior to commit d345691471b4 ("RDMA: Handle AH allocations by IB/core"), AH destroy path is rdmavt returned -EBUSY warning to application and caused to potential leakage of kernel memory of AH structure. After that commit, the AH structure is always freed but such early return in driver code can potentially cause to use-after-free error. Add warning to catch such situation to help driver developers to fix AH release path. Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'drivers/infiniband/sw')
-rw-r--r--drivers/infiniband/sw/rdmavt/ah.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c
index e6f7e4689d4d..0e147b32cbe9 100644
--- a/drivers/infiniband/sw/rdmavt/ah.c
+++ b/drivers/infiniband/sw/rdmavt/ah.c
@@ -141,8 +141,7 @@ void rvt_destroy_ah(struct ib_ah *ibah, u32 destroy_flags)
struct rvt_ah *ah = ibah_to_rvtah(ibah);
unsigned long flags;
- if (atomic_read(&ah->refcount) != 0)
- return;
+ WARN_ON_ONCE(atomic_read(&ah->refcount));
spin_lock_irqsave(&dev->n_ahs_lock, flags);
dev->n_ahs_allocated--;