From: Dust Li <dust.li@linux.alibaba.com>
To: Wen Gu <guwen@linux.alibaba.com>,
wenjia@linux.ibm.com, jaka@linux.ibm.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
Cc: alibuda@linux.alibaba.com, tonylu@linux.alibaba.com,
ubraun@linux.ibm.com, linux-s390@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v2] net/smc: fix illegal rmb_desc access in SMC-D connection dump
Date: Thu, 18 Jan 2024 17:11:09 +0800 [thread overview]
Message-ID: <20240118091109.GD89692@linux.alibaba.com> (raw)
In-Reply-To: <20240118043210.47618-1-guwen@linux.alibaba.com>
On Thu, Jan 18, 2024 at 12:32:10PM +0800, Wen Gu wrote:
>A crash was found when dumping SMC-D connections. It can be reproduced
>by following steps:
>
>- run nginx/wrk test:
> smc_run nginx
> smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
>
>- continuously dump SMC-D connections in parallel:
> watch -n 1 'smcss -D'
>
> BUG: kernel NULL pointer dereference, address: 0000000000000030
> CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55
> RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
> Call Trace:
> <TASK>
> ? __die+0x24/0x70
> ? page_fault_oops+0x66/0x150
> ? exc_page_fault+0x69/0x140
> ? asm_exc_page_fault+0x26/0x30
> ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
> ? __kmalloc_node_track_caller+0x35d/0x430
> ? __alloc_skb+0x77/0x170
> smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
> smc_diag_dump+0x26/0x60 [smc_diag]
> netlink_dump+0x19f/0x320
> __netlink_dump_start+0x1dc/0x300
> smc_diag_handler_dump+0x6a/0x80 [smc_diag]
> ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
> sock_diag_rcv_msg+0x121/0x140
> ? __pfx_sock_diag_rcv_msg+0x10/0x10
> netlink_rcv_skb+0x5a/0x110
> sock_diag_rcv+0x28/0x40
> netlink_unicast+0x22a/0x330
> netlink_sendmsg+0x1f8/0x420
> __sock_sendmsg+0xb0/0xc0
> ____sys_sendmsg+0x24e/0x300
> ? copy_msghdr_from_user+0x62/0x80
> ___sys_sendmsg+0x7c/0xd0
> ? __do_fault+0x34/0x160
> ? do_read_fault+0x5f/0x100
> ? do_fault+0xb0/0x110
> ? __handle_mm_fault+0x2b0/0x6c0
> __sys_sendmsg+0x4d/0x80
> do_syscall_64+0x69/0x180
> entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
>It is possible that the connection is in process of being established
>when we dump it. Assumed that the connection has been registered in a
>link group by smc_conn_create() but the rmb_desc has not yet been
>initialized by smc_buf_create(), thus causing the illegal access to
>conn->rmb_desc. So fix it by checking before dump.
>
>Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
>Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Best regards,
Dust
>---
>v2->v1: corrected the commit in Fixes tag.
>(https://lore.kernel.org/netdev/20240117122749.63785-1-guwen@linux.alibaba.com/)
>
> net/smc/smc_diag.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
>index 52f7c4f1e767..5a33908015f3 100644
>--- a/net/smc/smc_diag.c
>+++ b/net/smc/smc_diag.c
>@@ -164,7 +164,7 @@ static int __smc_diag_dump(struct sock *sk, struct sk_buff *skb,
> }
> if (smc_conn_lgr_valid(&smc->conn) && smc->conn.lgr->is_smcd &&
> (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
>- !list_empty(&smc->conn.lgr->list)) {
>+ !list_empty(&smc->conn.lgr->list) && smc->conn.rmb_desc) {
> struct smc_connection *conn = &smc->conn;
> struct smcd_diag_dmbinfo dinfo;
> struct smcd_dev *smcd = conn->lgr->smcd;
>--
>2.32.0.3.g01195cf9f
next prev parent reply other threads:[~2024-01-18 9:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 4:32 [PATCH net v2] net/smc: fix illegal rmb_desc access in SMC-D connection dump Wen Gu
2024-01-18 9:11 ` Dust Li [this message]
2024-01-18 13:44 ` Wenjia Zhang
2024-01-19 12:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240118091109.GD89692@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guwen@linux.alibaba.com \
--cc=jaka@linux.ibm.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tonylu@linux.alibaba.com \
--cc=ubraun@linux.ibm.com \
--cc=wenjia@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.