From: Bernd Schubert <bernd.schubert-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
To: Roland Dreier <roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org>
Cc: "Hefty,
Sean" <sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Sven Breuner
<sven.breuner-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
Subject: Re: [PATCH] core/verb.c: fix kernel panic: always initialize struct ib_qp *qp->usecnt
Date: Mon, 23 Jan 2012 16:11:02 +0100 [thread overview]
Message-ID: <4F1D7886.6010801@itwm.fraunhofer.de> (raw)
In-Reply-To: <CAL1RGDWSh3HpVY5dui549EoqhzTYaSnsCPGdEU+hPZ9NWx6ttw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 01/20/2012 07:40 PM, Roland Dreier wrote:
> On Fri, Jan 20, 2012 at 8:14 AM, Bernd Schubert
> <bernd.schubert-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org> wrote:
>> I *guess* the qp allocated by pd->context->ops.create_qp() does not have
>> qp->usecnt initialized (not does it know anything about it). So its random
>> value will fail the destruction later. A simple workaround that would work
>> for us, is to extend the patch I send to
>>
>> diff --git a/drivers/infiniband/core/verbs.c
>> b/drivers/infiniband/core/verbs.c
>> index 602b1bd..fba1675 100644
>> --- a/drivers/infiniband/core/verbs.c
>> +++ b/drivers/infiniband/core/verbs.c
>> @@ -874,7 +874,7 @@ int ib_destroy_qp(struct ib_qp *qp)
>> struct ib_srq *srq;
>> int ret;
>>
>> - if (atomic_read(&qp->usecnt))
>> + if (qp->qp_type == IB_QPT_XRC_TGT&& atomic_read(&qp->usecnt))
>> return -EBUSY;
>>
>> if (qp->real_qp != qp)
>
> It looks like this is sufficient and correct without the other patch?
>
>>
>>
>> However, what is is with user space setting type to IB_QPT_XRC_TGT? I guess
>> this could be solved by letting the kernel zero the memory returned by
>> ->ops.create_qp(pd, qp_init_attr).
>> Btw, I didn't figure out yet, how this translates at all in kernel space? Is
>> this op directly going to the device driver?
>>
>> But even if we are properly going to initialize the qp, what is with user
>> space mischievously trying to crash the system by manipulating struct ib_qp
>> *qp?
>
> I don't follow this. Isn't *qp completely allocated and manipulated
> in the kernel? How can userspace touch it except by having the
> kernel do something via the uverbs interface?
Sorry, I first didn't see the ib_uverbs_create_qp() interface and
copy_from/to_user() there.
Cheers,
Bernd
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-01-23 15:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-19 19:46 [PATCH] core/verb.c: fix kernel panic: always initialize struct ib_qp *qp->usecnt Bernd Schubert
[not found] ` <20120119194641.1391553.39048.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2012-01-19 20:29 ` Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A823732DC0C33E-P5GAC/sN6hlZtRGVdHMbwrfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2012-01-20 16:14 ` Bernd Schubert
[not found] ` <4F1992F6.9070103-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-20 18:40 ` Roland Dreier
[not found] ` <CAL1RGDWSh3HpVY5dui549EoqhzTYaSnsCPGdEU+hPZ9NWx6ttw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-20 18:43 ` Roland Dreier
[not found] ` <CAL1RGDW=XfCd3aCmB0mE1WcOUeDj=17=s2K0A3zpFmBF6Rg_Rg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-27 16:23 ` Sven Breuner
[not found] ` <4F22CF82.2060606-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-27 17:20 ` Roland Dreier
[not found] ` <CAL1RGDXXYG48d2P0h4G+z4W8HebjrQ7HTWyx5FqgB0_2OqC4Ng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-27 18:49 ` Sven Breuner
[not found] ` <4F22F1C9.3090801-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-27 19:09 ` Roland Dreier
2012-01-23 15:11 ` Bernd Schubert [this message]
2012-01-19 20:38 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2012-01-20 18:43 Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A823732DC115E2-P5GAC/sN6hmkrb+BlOpmy7fspsVTdybXVpNB7YpNyf8@public.gmane.org>
2012-01-23 16:11 ` Bernd Schubert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F1D7886.6010801@itwm.fraunhofer.de \
--to=bernd.schubert-mpn0npgs4xgatndf+kubs4quadtiucjx@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org \
--cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=sven.breuner-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox