[PATCHv4 1/1] RDMA/rxe: Fix qp error handler

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCHv4 1/1] RDMA/rxe: Fix qp error handler
@ 2022-07-31  6:36 yanjun.zhu
  2022-08-02 17:33 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: yanjun.zhu @ 2022-07-31  6:36 UTC (permalink / raw)
  To: jgg, leon, linux-rdma, yanjun.zhu; +Cc: syzbot+833061116fa28df97f3b

From: Zhu Yanjun <yanjun.zhu@linux.dev>

This problem is in this link:
news://nntp.lore.kernel.org:119/0000000000006ed46805dfaded18@google.com

this is an error unwind problem.

In the function rxe_create_qp, rxe_qp_from_init is called to initialize qp.
rxe_qp_init_req is called by rxe_qp_from_init. If an error occurs before
spin_lock_init in rxe_qp_init_req, several spin locks are not initialized.
Then rxe_create_qp finally calls rxe_cleanup(qp) to handle errors.

In the end, rxe_qp_do_cleanup is called. In this function, rxe_cleanup_task
will call spin_lock_bh. But task->state_lock is not initialized.

As such, an uninitialized spin lock is called by spin_lock_bh.

rxe_create_qp {
        ...
        err = rxe_qp_from_init(rxe, qp, pd, init, uresp, ibqp->pd, udata);
        if (err)
                goto qp_init;
        ...
        return 0;

qp_init:
        rxe_cleanup(qp);
        return err;
}

rxe_qp_do_cleanup {
  ...
  rxe_cleanup_task {
    ...
    spin_lock_bh(&task->state_lock);
    ...
  }
}

rxe_qp_from_init {
...
        rxe_qp_init_misc(rxe, qp, init);

        err = rxe_qp_init_req{
                ...
                spin_lock_init(&qp->sq.sq_lock);
                ...
                rxe_init_task{
                  ...
                  spin_lock_init(&task->state_lock);
                  ...
                }
              }
        if (err)
                goto err1;

        err = rxe_qp_init_resp {
                ...
                spin_lock_init(&qp->rq.producer_lock);
                spin_lock_init(&qp->rq.consumer_lock);
                ...
                rxe_init_task {
                  ...
                  spin_lock_init(&task->state_lock);
                  ...
                }
              }

        if (err)
                goto err2;
...
        return 0;

err2:
        ...
err1:
        ...
        return err;
}

About 7 spin locks in qp creation needs to be initialized. Now these
spin locks are initialized in the function rxe_qp_init_misc. This
will avoid the error "initialize spin locks before use".

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
---
 drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index b79e1b43454e..7a223583cf8b 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -174,6 +174,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp,
 
 	spin_lock_init(&qp->state_lock);
 
+	spin_lock_init(&qp->req.task.state_lock);
+	spin_lock_init(&qp->resp.task.state_lock);
+	spin_lock_init(&qp->comp.task.state_lock);
+
+	spin_lock_init(&qp->sq.sq_lock);
+	spin_lock_init(&qp->rq.producer_lock);
+	spin_lock_init(&qp->rq.consumer_lock);
+
 	atomic_set(&qp->ssn, 0);
 	atomic_set(&qp->skb_out, 0);
 }
@@ -233,7 +241,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp,
 	qp->req.opcode		= -1;
 	qp->comp.opcode		= -1;
 
-	spin_lock_init(&qp->sq.sq_lock);
 	skb_queue_head_init(&qp->req_pkts);
 
 	rxe_init_task(rxe, &qp->req.task, qp,
@@ -284,9 +291,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp,
 		}
 	}
 
-	spin_lock_init(&qp->rq.producer_lock);
-	spin_lock_init(&qp->rq.consumer_lock);
-
 	skb_queue_head_init(&qp->resp_pkts);
 
 	rxe_init_task(rxe, &qp->resp.task, qp,
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCHv4 1/1] RDMA/rxe: Fix qp error handler
  2022-07-31  6:36 [PATCHv4 1/1] RDMA/rxe: Fix qp error handler yanjun.zhu
@ 2022-08-02 17:33 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2022-08-02 17:33 UTC (permalink / raw)
  To: yanjun.zhu; +Cc: leon, linux-rdma, syzbot+833061116fa28df97f3b

On Sun, Jul 31, 2022 at 02:36:21AM -0400, yanjun.zhu@linux.dev wrote:
> From: Zhu Yanjun <yanjun.zhu@linux.dev>
> 
> This problem is in this link:
> news://nntp.lore.kernel.org:119/0000000000006ed46805dfaded18@google.com
> 
> this is an error unwind problem.
> 
> In the function rxe_create_qp, rxe_qp_from_init is called to initialize qp.
> rxe_qp_init_req is called by rxe_qp_from_init. If an error occurs before
> spin_lock_init in rxe_qp_init_req, several spin locks are not initialized.
> Then rxe_create_qp finally calls rxe_cleanup(qp) to handle errors.
> 
> In the end, rxe_qp_do_cleanup is called. In this function, rxe_cleanup_task
> will call spin_lock_bh. But task->state_lock is not initialized.
> 
> As such, an uninitialized spin lock is called by spin_lock_bh.
> 
> rxe_create_qp {
>         ...
>         err = rxe_qp_from_init(rxe, qp, pd, init, uresp, ibqp->pd, udata);
>         if (err)
>                 goto qp_init;
>         ...
>         return 0;
> 
> qp_init:
>         rxe_cleanup(qp);
>         return err;
> }
> 
> rxe_qp_do_cleanup {
>   ...
>   rxe_cleanup_task {
>     ...
>     spin_lock_bh(&task->state_lock);
>     ...
>   }
> }
> 
> rxe_qp_from_init {
> ...
>         rxe_qp_init_misc(rxe, qp, init);
> 
>         err = rxe_qp_init_req{
>                 ...
>                 spin_lock_init(&qp->sq.sq_lock);
>                 ...
>                 rxe_init_task{
>                   ...
>                   spin_lock_init(&task->state_lock);
>                   ...
>                 }
>               }
>         if (err)
>                 goto err1;
> 
>         err = rxe_qp_init_resp {
>                 ...
>                 spin_lock_init(&qp->rq.producer_lock);
>                 spin_lock_init(&qp->rq.consumer_lock);
>                 ...
>                 rxe_init_task {
>                   ...
>                   spin_lock_init(&task->state_lock);
>                   ...
>                 }
>               }
> 
>         if (err)
>                 goto err2;
> ...
>         return 0;
> 
> err2:
>         ...
> err1:
>         ...
>         return err;
> }
> 
> About 7 spin locks in qp creation needs to be initialized. Now these
> spin locks are initialized in the function rxe_qp_init_misc. This
> will avoid the error "initialize spin locks before use".
> 
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com
> Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
> ---
>  drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Applied to for-next, thanks

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-02 17:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-31  6:36 [PATCHv4 1/1] RDMA/rxe: Fix qp error handler yanjun.zhu
2022-08-02 17:33 ` Jason Gunthorpe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.