From: Bart Van Assche <bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
To: Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Bart Van Assche <bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
Subject: [PATCH 10/28] IB/srpt: Rework srpt_disconnect_ch_sync()
Date: Wed, 3 Jan 2018 13:39:20 -0800 [thread overview]
Message-ID: <20180103213938.11664-11-bart.vanassche@wdc.com> (raw)
In-Reply-To: <20180103213938.11664-1-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
This patch fixes a use-after-free issue for ch->release_done when
running the SRP protocol on top of the rdma_rxe driver.
Signed-off-by: Bart Van Assche <bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 40 +++++++++++++++++++++--------------
drivers/infiniband/ulp/srpt/ib_srpt.h | 2 --
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index d7143cf6a882..943fec0d0548 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1787,6 +1787,24 @@ static int srpt_disconnect_ch(struct srpt_rdma_ch *ch)
return ret;
}
+static bool srpt_ch_closed(struct srpt_device *sdev, struct srpt_rdma_ch *ch)
+{
+ struct srpt_rdma_ch *ch2;
+ bool res = true;
+
+ rcu_read_lock();
+ list_for_each_entry(ch2, &sdev->rch_list, list) {
+ if (ch2 == ch) {
+ res = false;
+ goto done;
+ }
+ }
+done:
+ rcu_read_unlock();
+
+ return res;
+}
+
/*
* Send DREQ and wait for DREP. Return true if and only if this function
* changed the state of @ch.
@@ -1794,31 +1812,24 @@ static int srpt_disconnect_ch(struct srpt_rdma_ch *ch)
static bool srpt_disconnect_ch_sync(struct srpt_rdma_ch *ch)
__must_hold(&sdev->mutex)
{
- DECLARE_COMPLETION_ONSTACK(release_done);
struct srpt_device *sdev = ch->sport->sdev;
- bool wait;
+ int ret;
lockdep_assert_held(&sdev->mutex);
pr_debug("ch %s-%d state %d\n", ch->sess_name, ch->qp->qp_num,
ch->state);
- WARN_ON(ch->release_done);
- ch->release_done = &release_done;
- wait = !list_empty(&ch->list);
- srpt_disconnect_ch(ch);
+ ret = srpt_disconnect_ch(ch);
mutex_unlock(&sdev->mutex);
- if (!wait)
- goto out;
-
- while (wait_for_completion_timeout(&release_done, 180 * HZ) == 0)
+ while (wait_event_timeout(sdev->ch_releaseQ, srpt_ch_closed(sdev, ch),
+ 5 * HZ) == 0)
pr_info("%s(%s-%d state %d): still waiting ...\n", __func__,
ch->sess_name, ch->qp->qp_num, ch->state);
-out:
mutex_lock(&sdev->mutex);
- return wait;
+ return ret == 0;
}
static void srpt_set_enabled(struct srpt_port *sport, bool enabled)
@@ -1862,8 +1873,7 @@ static void srpt_release_channel_work(struct work_struct *w)
struct se_session *se_sess;
ch = container_of(w, struct srpt_rdma_ch, release_work);
- pr_debug("%s: %s-%d; release_done = %p\n", __func__, ch->sess_name,
- ch->qp->qp_num, ch->release_done);
+ pr_debug("%s: %s-%d\n", __func__, ch->sess_name, ch->qp->qp_num);
sdev = ch->sport->sdev;
BUG_ON(!sdev);
@@ -1892,8 +1902,6 @@ static void srpt_release_channel_work(struct work_struct *w)
mutex_lock(&sdev->mutex);
list_del_init(&ch->list);
- if (ch->release_done)
- complete(ch->release_done);
mutex_unlock(&sdev->mutex);
wake_up(&sdev->ch_releaseQ);
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.h b/drivers/infiniband/ulp/srpt/ib_srpt.h
index d2c08ca2bd74..3f4142edc53b 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
@@ -261,7 +261,6 @@ enum rdma_ch_state {
* @sess_name: Session name.
* @ini_guid: Initiator port GUID.
* @release_work: Allows scheduling of srpt_release_channel().
- * @release_done: Enables waiting for srpt_release_channel() completion.
*/
struct srpt_rdma_ch {
struct ib_cm_id *cm_id;
@@ -290,7 +289,6 @@ struct srpt_rdma_ch {
u8 sess_name[36];
u8 ini_guid[24];
struct work_struct release_work;
- struct completion *release_done;
};
/**
--
2.15.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-01-03 21:39 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-03 21:39 [PATCH 00/28] IB/srp and IB/srpt patches Bart Van Assche
2018-01-03 21:39 ` [PATCH 05/28] IB/srpt: Disable RDMA access by the initiator Bart Van Assche
[not found] ` <20180103213938.11664-6-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
2018-01-04 3:12 ` Jason Gunthorpe
2018-01-03 21:39 ` [PATCH 06/28] IB/srpt: Fix ACL lookup during login Bart Van Assche
[not found] ` <20180103213938.11664-7-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
2018-01-04 3:12 ` Jason Gunthorpe
[not found] ` <20180103213938.11664-1-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
2018-01-03 21:39 ` [PATCH 01/28] IB/srp: Use kstrtoull() instead of simple_strtoull() Bart Van Assche
2018-01-03 21:39 ` [PATCH 02/28] IB/srp: Make the path record query error message more informative Bart Van Assche
2018-01-03 21:39 ` [PATCH 03/28] IB/srp: Refactor srp_send_req() Bart Van Assche
2018-01-03 21:39 ` [PATCH 04/28] IB/srp: Add RDMA/CM support Bart Van Assche
2018-01-03 21:39 ` [PATCH 07/28] IB/srpt: Remove an unused structure member Bart Van Assche
2018-01-03 21:39 ` [PATCH 08/28] IB/srpt: Fix kernel-doc warnings in ib_srpt.c Bart Van Assche
2018-01-03 21:39 ` [PATCH 09/28] IB/srpt: Make it safe to use RCU for srpt_device.rch_list Bart Van Assche
2018-01-03 21:39 ` Bart Van Assche [this message]
2018-01-03 21:39 ` [PATCH 11/28] IB/srpt: Document all structure members in ib_srpt.h Bart Van Assche
2018-01-03 21:39 ` [PATCH 12/28] IB/srpt: Rename a local variable, a member variable and a constant Bart Van Assche
2018-01-03 21:39 ` [PATCH 13/28] IB/srpt: Reduce the severity level of a log message Bart Van Assche
2018-01-03 21:39 ` [PATCH 14/28] IB/srpt: Verify port numbers in srpt_event_handler() Bart Van Assche
2018-01-03 21:39 ` [PATCH 15/28] IB/srpt: Use the IPv6 format for GIDs in log messages Bart Van Assche
2018-01-03 21:39 ` [PATCH 16/28] IB/srpt: Reduce frequency of receive failure messages Bart Van Assche
2018-01-03 21:39 ` [PATCH 17/28] IB/srpt: Introduce srpt_format_guid() Bart Van Assche
2018-01-03 21:39 ` [PATCH 18/28] IB/srpt: Inline srpt_get_cmd_state() Bart Van Assche
2018-01-03 21:39 ` [PATCH 19/28] IB/srpt: Micro-optimize I/O context state manipulation Bart Van Assche
2018-01-03 21:39 ` [PATCH 20/28] IB/srpt: Add P_Key support Bart Van Assche
2018-01-03 21:39 ` [PATCH 21/28] IB/srpt: One target per port Bart Van Assche
2018-01-03 21:39 ` [PATCH 22/28] IB/srpt: Rework multi-channel support Bart Van Assche
2018-01-03 21:39 ` [PATCH 23/28] IB/srpt: Fix login-related race conditions Bart Van Assche
2018-01-03 21:39 ` [PATCH 24/28] IB/srpt: Prepare RDMA/CM support Bart Van Assche
2018-01-03 21:39 ` [PATCH 25/28] IB/srpt: Move the code for parsing struct ib_cm_req_event_param Bart Van Assche
2018-01-03 21:39 ` [PATCH 26/28] IB/srpt: Fix a race condition related to wait list processing Bart Van Assche
2018-01-03 21:39 ` [PATCH 27/28] IB/srpt: Avoid that wait list processing triggers command reordering Bart Van Assche
2018-01-03 21:39 ` [PATCH 28/28] IB/srpt: Add RDMA/CM support Bart Van Assche
2018-01-03 21:51 ` [PATCH 00/28] IB/srp and IB/srpt patches Jason Gunthorpe
[not found] ` <20180103215130.GN11348-uk2M96/98Pc@public.gmane.org>
2018-01-03 22:06 ` Bart Van Assche
[not found] ` <1515017215.2582.50.camel-Sjgp3cTcYWE@public.gmane.org>
2018-01-04 3:15 ` Jason Gunthorpe
[not found] ` <20180104031505.GP11348-uk2M96/98Pc@public.gmane.org>
2018-01-04 4:29 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180103213938.11664-11-bart.vanassche@wdc.com \
--to=bart.vanassche-sjgp3ctcywe@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox