[PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue

linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
@ 2020-06-09 12:54 m.malygin
  2020-07-14 19:59 ` Jason Gunthorpe
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
  0 siblings, 2 replies; 4+ messages in thread
From: m.malygin @ 2020-06-09 12:54 UTC (permalink / raw)
  To: linux-rdma; +Cc: s.kojushev, linux, Mikhail Malygin

From: Mikhail Malygin <m.malygin@yadro.com>

rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
However it we've got an interrupt after last wr is posted, control may be returned
to the code after send completion callback is executed and wr memory is freed.
As a result, wr->next pointer may contain incorrect value leading to panic.

Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
---
 drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index b8a22af724e8..a539b11b4f9b 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 	unsigned int mask;
 	unsigned int length = 0;
 	int i;
+	struct ib_send_wr *next;
 
 	while (wr) {
 		mask = wr_opcode_mask(wr->opcode, qp);
@@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			break;
 		}
 
+		next = READ_ONCE(wr->next);
+
 		length = 0;
 		for (i = 0; i < wr->num_sge; i++)
 			length += wr->sg_list[i].length;
@@ -710,7 +713,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			*bad_wr = wr;
 			break;
 		}
-		wr = wr->next;
+		wr = next;
 	}
 
 	rxe_run_task(&qp->req.task, 1);
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
@ 2020-07-14 19:59 ` Jason Gunthorpe
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
  1 sibling, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2020-07-14 19:59 UTC (permalink / raw)
  To: m.malygin; +Cc: linux-rdma, s.kojushev, linux

On Tue, Jun 09, 2020 at 03:54:12PM +0300, m.malygin@yadro.com wrote:
> From: Mikhail Malygin <m.malygin@yadro.com>
> 
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
> 
> Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
> Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
>  drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
> index b8a22af724e8..a539b11b4f9b 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
> @@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
>  	unsigned int mask;
>  	unsigned int length = 0;
>  	int i;
> +	struct ib_send_wr *next;
>  
>  	while (wr) {
>  		mask = wr_opcode_mask(wr->opcode, qp);
> @@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
>  			break;
>  		}
>  
> +		next = READ_ONCE(wr->next);

Why is this READ_ONCE? The wr list at this point cannot be allowed to
change

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
  2020-07-14 19:59 ` Jason Gunthorpe
@ 2020-07-16 19:03 ` m.malygin
  2020-07-16 19:17   ` Jason Gunthorpe
  1 sibling, 1 reply; 4+ messages in thread
From: m.malygin @ 2020-07-16 19:03 UTC (permalink / raw)
  To: linux-rdma; +Cc: linux, jgg, Mikhail Malygin, Sergey Kojushev

From: Mikhail Malygin <m.malygin@yadro.com>

rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
However it we've got an interrupt after last wr is posted, control may be returned
to the code after send completion callback is executed and wr memory is freed.
As a result, wr->next pointer may contain incorrect value leading to panic.

Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
---
 drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index b8a22af724e8..84fec5fd798d 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 	unsigned int mask;
 	unsigned int length = 0;
 	int i;
+	struct ib_send_wr *next;
 
 	while (wr) {
 		mask = wr_opcode_mask(wr->opcode, qp);
@@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			break;
 		}
 
+		next = wr->next;
+
 		length = 0;
 		for (i = 0; i < wr->num_sge; i++)
 			length += wr->sg_list[i].length;
@@ -710,7 +713,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			*bad_wr = wr;
 			break;
 		}
-		wr = wr->next;
+		wr = next;
 	}
 
 	rxe_run_task(&qp->req.task, 1);
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
@ 2020-07-16 19:17   ` Jason Gunthorpe
  0 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2020-07-16 19:17 UTC (permalink / raw)
  To: m.malygin; +Cc: linux-rdma, linux, Sergey Kojushev

On Thu, Jul 16, 2020 at 10:03:41PM +0300, m.malygin@yadro.com wrote:
> From: Mikhail Malygin <m.malygin@yadro.com>
> 
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
> 
> Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
> Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
> ---
>  drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Applied to for-next, thanks

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-07-16 19:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
2020-07-14 19:59 ` Jason Gunthorpe
2020-07-16 19:03 ` [PATCH v2] " m.malygin
2020-07-16 19:17   ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).