From: Leon Romanovsky <leon@kernel.org>
To: Selvin Xavier <selvin.xavier@broadcom.com>
Cc: Mohammad Heib <mheib@redhat.com>,
linux-rdma@vger.kernel.org, kashyap.desai@broadcom.com
Subject: Re: [PATCH rdma] RDMA/bnxt_re: cmds completions handler avoid accessing invalid memeory
Date: Thu, 14 Nov 2024 13:45:21 +0200 [thread overview]
Message-ID: <20241114114521.GF499069@unreal> (raw)
In-Reply-To: <CA+sbYW1cp17tH-p8ffjtgBecyMP_fECmes9RN9Bj=bdNPD_W2g@mail.gmail.com>
On Thu, Nov 14, 2024 at 03:37:30PM +0530, Selvin Xavier wrote:
> On Thu, Nov 14, 2024 at 3:34 PM Leon Romanovsky <leon@kernel.org> wrote:
> >
> > On Tue, Nov 12, 2024 at 03:49:56PM +0200, Mohammad Heib wrote:
> > > If bnxt FW behaves unexpectedly because of FW bug or unexpected behavior it
> > > can send completions for old cookies that have already been handled by the
> > > bnxt driver. If that old cookie was associated with an old calling context
> > > the driver will try to access that caller memory again because the driver
> > > never clean the is_waiter_alive flag after the caller successfully complete
> > > waiting, and this access will cause the following kernel panic:
> > >
> > > Call Trace:
> > > <IRQ>
> > > ? __die+0x20/0x70
> > > ? page_fault_oops+0x75/0x170
> > > ? exc_page_fault+0xaa/0x140
> > > ? asm_exc_page_fault+0x22/0x30
> > > ? bnxt_qplib_process_qp_event.isra.0+0x20c/0x3a0 [bnxt_re]
> > > ? srso_return_thunk+0x5/0x5f
> > > ? __wake_up_common+0x78/0xa0
> > > ? srso_return_thunk+0x5/0x5f
> > > bnxt_qplib_service_creq+0x18d/0x250 [bnxt_re]
> > > tasklet_action_common+0xac/0x210
> > > handle_softirqs+0xd3/0x2b0
> > > __irq_exit_rcu+0x9b/0xc0
> > > common_interrupt+0x7f/0xa0
> > > </IRQ>
> > > <TASK>
> > >
> > > To avoid the above unexpected behavior clear the is_waiter_alive flag
> > > every time the caller finishes waiting for a completion.
> > >
> > > Fixes: 691eb7c6110f ("RDMA/bnxt_re: handle command completions after driver detect a timedout")
> > > Signed-off-by: Mohammad Heib <mheib@redhat.com>
> > > ---
> > > drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 16 ++++++++--------
> > > 1 file changed, 8 insertions(+), 8 deletions(-)
> >
> > Selvin?
> Someone is confirming the fix. Will ack in a day. Thanks
Thanks
next prev parent reply other threads:[~2024-11-14 11:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 13:49 [PATCH rdma] RDMA/bnxt_re: cmds completions handler avoid accessing invalid memeory Mohammad Heib
2024-11-14 10:04 ` Leon Romanovsky
2024-11-14 10:07 ` Selvin Xavier
2024-11-14 11:45 ` Leon Romanovsky [this message]
2024-11-16 8:03 ` Selvin Xavier
2024-11-22 13:24 ` Mohammad Heib
2024-11-22 13:45 ` Kashyap Desai
2024-11-25 7:22 ` Leon Romanovsky
2025-03-04 23:31 ` [PATCH] Fix bnxt_re crash in bnxt_qplib_process_qp_event Sherry Yang
2025-03-05 10:59 ` Kashyap Desai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241114114521.GF499069@unreal \
--to=leon@kernel.org \
--cc=kashyap.desai@broadcom.com \
--cc=linux-rdma@vger.kernel.org \
--cc=mheib@redhat.com \
--cc=selvin.xavier@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.