From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Steve Wise <swise@opengridcomputing.com>,
Jason Gunthorpe <jgg@mellanox.com>
Subject: [PATCH 4.4 28/28] iw_cxgb4: only allow 1 flush on user qps
Date: Thu, 27 Sep 2018 11:06:52 +0200 [thread overview]
Message-ID: <20180927090638.843710822@linuxfoundation.org> (raw)
In-Reply-To: <20180927090637.687829444@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve Wise <swise@opengridcomputing.com>
commit 308aa2b8f7b7db3332a7d41099fd37851fb793b2 upstream.
Once the qp has been flushed, it cannot be flushed again. The user qp
flush logic wasn't enforcing it however. The bug can cause
touch-after-free crashes like:
Unable to handle kernel paging request for data at address 0x000001ec
Faulting instruction address: 0xc008000016069100
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
Call Trace:
[c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
[c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
[c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
[c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
[c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
[c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
[c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
[c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
[c000000000444da4] __fput+0xe4/0x2f0
So fix flush_qp() to only flush the wq once.
Cc: stable@vger.kernel.org
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/infiniband/hw/cxgb4/qp.c
+++ b/drivers/infiniband/hw/cxgb4/qp.c
@@ -1183,6 +1183,12 @@ static void flush_qp(struct c4iw_qp *qhp
t4_set_wq_in_error(&qhp->wq);
if (qhp->ibqp.uobject) {
+
+ /* for user qps, qhp->wq.flushed is protected by qhp->mutex */
+ if (qhp->wq.flushed)
+ return;
+
+ qhp->wq.flushed = 1;
t4_set_cq_in_error(&rchp->cq);
spin_lock_irqsave(&rchp->comp_handler_lock, flag);
(*rchp->ibcq.comp_handler)(&rchp->ibcq, rchp->ibcq.cq_context);
next prev parent reply other threads:[~2018-09-27 9:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 9:06 [PATCH 4.4 00/28] 4.4.159-stable review Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 01/28] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 02/28] NFC: Fix the number of pipes Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 03/28] ASoC: cs4265: fix MMTLR Data switch control Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 04/28] ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 05/28] ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 06/28] platform/x86: alienware-wmi: Correct a memory leak Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 07/28] xen/netfront: dont bug in case of too many frags Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 08/28] xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 09/28] ring-buffer: Allow for rescheduling when removing pages Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 10/28] mm: shmem.c: Correctly annotate new inodes for lockdep Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 11/28] gso_segment: Reset skb->mac_len after modifying network header Greg Kroah-Hartman
2018-09-27 9:06 ` Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 12/28] ipv6: fix possible use-after-free in ip6_xmit() Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 13/28] net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 14/28] net: hp100: fix always-true check for link up state Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 15/28] neighbour: confirm neigh entries when ARP packet is received Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 16/28] scsi: target: iscsi: Use hex2bin instead of a re-implementation Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 17/28] ocfs2: fix ocfs2 read block panic Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 18/28] drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 19/28] tty: vt_ioctl: fix potential Spectre v1 Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 20/28] ext4: avoid divide by zero fault when deleting corrupted inline directories Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 21/28] ext4: recalucate superblock checksum after updating free blocks/inodes Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 22/28] ext4: fix online resizes handling of a too-small final block group Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 23/28] ext4: fix online resizing for bigalloc file systems with a 1k block size Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 24/28] ext4: dont mark mmp buffer head dirty Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 25/28] arm64: Add trace_hardirqs_off annotation in ret_to_user Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 26/28] HID: sony: Update device ids Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 27/28] HID: sony: Support DS4 dongle Greg Kroah-Hartman
2018-09-27 9:06 ` Greg Kroah-Hartman [this message]
2018-09-27 18:58 ` [PATCH 4.4 00/28] 4.4.159-stable review Nathan Chancellor
2018-09-27 19:47 ` Rafael David Tinoco
2018-09-27 20:19 ` Shuah Khan
2018-09-27 23:05 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180927090638.843710822@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jgg@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=swise@opengridcomputing.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.