RDMA/rdmavt: Catch use-after-free access of AH structures

Prior to commit d345691471b4 ("RDMA: Handle AH allocations by IB/core"),
AH destroy path is rdmavt returned -EBUSY warning to application and
caused to potential leakage of kernel memory of AH structure.

After that commit, the AH structure is always freed but such early return
in driver code can potentially cause to use-after-free error.

Add warning to catch such situation to help driver developers to fix AH
release path.

Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c
index e6f7e4689d4d68fd707d0e371f23388f21eff897..0e147b32cbe9f55a0210f527d9df28cdb998b256 100644 (file)
--- a/drivers/infiniband/sw/rdmavt/ah.c
+++ b/drivers/infiniband/sw/rdmavt/ah.c
@@ -141,8 +141,7 @@ void rvt_destroy_ah(struct ib_ah *ibah, u32 destroy_flags)
        struct rvt_ah *ah = ibah_to_rvtah(ibah);
        unsigned long flags;
 
-       if (atomic_read(&ah->refcount) != 0)
-               return;
+       WARN_ON_ONCE(atomic_read(&ah->refcount));
 
        spin_lock_irqsave(&dev->n_ahs_lock, flags);
        dev->n_ahs_allocated--;