From: Guoqing Jiang <guoqing.jiang@linux.dev>
To: "Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com>,
"haris.iqbal@ionos.com" <haris.iqbal@ionos.com>,
"jinpu.wang@ionos.com" <jinpu.wang@ionos.com>,
"jgg@ziepe.ca" <jgg@ziepe.ca>,
"leon@kernel.org" <leon@kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH for-next 3/3] RDMA/rtrs: Avoid use-after-free in rtrs_clt_rdma_cm_handler
Date: Wed, 12 Apr 2023 09:15:01 +0800 [thread overview]
Message-ID: <e22e7963-2077-45b8-97c8-8eef07862ef4@linux.dev> (raw)
In-Reply-To: <1e1c082c-0c94-6594-d02c-9f7fbab80b0b@fujitsu.com>
On 4/11/23 09:33, Zhijian Li (Fujitsu) wrote:
>
>>> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> index 4c8f42e46e2f..760a7eb51297 100644
>>> --- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> +++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> @@ -2074,6 +2074,7 @@ static int create_cm(struct rtrs_clt_con *con)
>>> rtrs_err(s, "Failed to resolve address, err: %d\n", err);
>>> goto destroy_cm;
>>> }
>>> +again:
>>> /*
>>> * Combine connection status and session events. This is needed
>>> * for waiting two possible cases: cm_err has something meaningful
>>> @@ -2083,10 +2084,15 @@ static int create_cm(struct rtrs_clt_con *con)
>>> clt_path->state_wq,
>>> con->cm_err || clt_path->state != RTRS_CLT_CONNECTING,
>>> msecs_to_jiffies(RTRS_CONNECT_TIMEOUT_MS));
>>> - if (err == 0 || err == -ERESTARTSYS) {
>>> - if (err == 0)
>>> - err = -ETIMEDOUT;
>>> - /* Timedout or interrupted */
>>> + if (err == -ERESTARTSYS) {
>>> + /* interrupted,
>>> + * try again to avoid the in-flight rtrs_clt_rdma_cm_handler()
>>> + * getting a use-after-free
>>> + */
>>> + goto again;
>>> + } else if (err == 0) {
>>> + err = -ETIMEDOUT;
>>> + /* Timedout */
>>> goto errr;
>>> }
>> Can event handler still be triggered in case of timeout?
> I have never hit such race.
But it is still possible with the theory.
>> And I guess either stop_cm -> rdma_disconnect or destroy_cm -> rdma_destroy_id
>> should prevent this kind of racy issue.
> In practice, they are possible that rtrs_clt_rdma_cm_handler() is in-flight during
> 'either stop_cm -> rdma_disconnect or destroy_cm -> rdma_destroy_id'. rtrs_clt_rdma_cm_handler() and
> cm's cleanup path need to hold mutex_lock(&con->con_mutex), once cm's cleanup path get this lock first
> rtrs_clt_rdma_cm_handler has to sleep, when rtrs_clt_rdma_cm_handler is wakeup again, some resources has been
> freed by cm's cleanup path.
First, stop_cm doesn't need to hold &con->con_mutex. But
rtrs_clt_rdma_cm_handler
is called from rdma core layer which need id_priv->handler_mutexinstead
of con_mutex
I thinnk. Also RTRS has similar behavior as nvme host rdma, ib_srp and
iser_verb.
@Jinpu/Haris, can we move destroy_cm right after stop_cm?*
*Thanks,
Guoqing
prev parent reply other threads:[~2023-04-12 1:15 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-10 6:43 [PATCH for-next 0/3] rtrs bugfix and cleanups Li Zhijian
2023-04-10 6:43 ` [PATCH for-next 1/3] RDMA/rtrs: Remove duplicate cq_num assignment Li Zhijian
2023-04-10 13:09 ` Guoqing Jiang
2023-04-19 10:37 ` Jinpu Wang
2023-04-10 6:43 ` [PATCH for-next 2/3] RDMA/rtrs: Fix rxe_dealloc_pd warning Li Zhijian
2023-04-10 12:08 ` Leon Romanovsky
2023-04-10 13:10 ` Guoqing Jiang
2023-04-11 2:43 ` Zhijian Li (Fujitsu)
2023-04-11 12:26 ` Leon Romanovsky
2023-04-12 1:15 ` Zhijian Li (Fujitsu)
2023-04-13 7:35 ` Guoqing Jiang
2023-04-13 8:12 ` Zhijian Li (Fujitsu)
2023-04-13 13:24 ` Leon Romanovsky
2023-04-14 15:58 ` Zhu Yanjun
2023-04-17 2:18 ` Zhijian Li (Fujitsu)
2023-04-17 18:04 ` Leon Romanovsky
2023-04-18 7:04 ` Zhijian Li (Fujitsu)
2023-04-18 7:57 ` Leon Romanovsky
2023-04-19 9:53 ` Zhijian Li (Fujitsu)
2023-04-19 13:20 ` Jinpu Wang
2023-04-20 2:00 ` Zhijian Li (Fujitsu)
2023-04-21 1:38 ` Zhijian Li (Fujitsu)
2023-04-21 6:49 ` Zhijian Li (Fujitsu)
2023-04-21 7:05 ` Jinpu Wang
2023-04-14 3:40 ` Guoqing Jiang
2023-04-14 4:25 ` Bob Pearson
2023-04-14 5:37 ` Zhijian Li (Fujitsu)
2023-04-14 6:03 ` Jinpu Wang
2023-04-14 6:47 ` Zhijian Li (Fujitsu)
2023-04-14 6:04 ` Guoqing Jiang
2023-04-14 10:09 ` Zhijian Li (Fujitsu)
2023-04-17 3:08 ` Guoqing Jiang
2023-04-18 6:47 ` Zhijian Li (Fujitsu)
2023-04-10 6:43 ` [PATCH for-next 3/3] RDMA/rtrs: Avoid use-after-free in rtrs_clt_rdma_cm_handler Li Zhijian
2023-04-10 12:10 ` Leon Romanovsky
2023-04-10 13:13 ` Guoqing Jiang
2023-04-11 1:33 ` Zhijian Li (Fujitsu)
2023-04-12 1:15 ` Guoqing Jiang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e22e7963-2077-45b8-97c8-8eef07862ef4@linux.dev \
--to=guoqing.jiang@linux.dev \
--cc=haris.iqbal@ionos.com \
--cc=jgg@ziepe.ca \
--cc=jinpu.wang@ionos.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lizhijian@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.