From: Junxian Huang <huangjunxian6@hisilicon.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: <jgg@ziepe.ca>, <linux-rdma@vger.kernel.org>,
<linuxarm@huawei.com>, <tangchengchang@huawei.com>
Subject: Re: [PATCH for-next 0/4] RDMA/hns: Introduce delay-destruction mechanism
Date: Wed, 19 Feb 2025 21:07:36 +0800 [thread overview]
Message-ID: <bb0a621e-78e1-c030-f8f6-e175978acf0f@hisilicon.com> (raw)
In-Reply-To: <20250219121454.GE53094@unreal>
On 2025/2/19 20:14, Leon Romanovsky wrote:
> On Mon, Feb 17, 2025 at 03:01:19PM +0800, Junxian Huang wrote:
>> When mailboxes for resource(QP/CQ/SRQ) destruction fail, it's unable
>> to notify HW about the destruction. In this case, driver will still
>> free the resources, while HW may still access them, thus leading to
>> a UAF.
>
>> This series introduces delay-destruction mechanism to fix such HW UAF,
>> including thw HW CTX and doorbells.
>
> And why can't you fix FW instead?
>
The key is the failure of mailbox, and there are some cases that would
lead to it, which we don't really consider as FW bugs.
For example, when some random fatal error like RAS error occurs in FW,
our FW will be reset. Driver's mailbox will fail during the FW reset.
Another case is the mailbox timeout when FW is under heavy load, as it is
shared by multi-functions.
Thanks,
Junxian
> Thanks
next prev parent reply other threads:[~2025-02-19 13:07 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-17 7:01 [PATCH for-next 0/4] RDMA/hns: Introduce delay-destruction mechanism Junxian Huang
2025-02-17 7:01 ` [PATCH for-next 1/4] RDMA/hns: Change mtr member to pointer in hns QP/CQ/MR/SRQ/EQ struct Junxian Huang
2025-02-17 7:01 ` [PATCH for-next 2/4] RDMA/hns: Fix HW CTX UAF by adding delay-destruction mechanism Junxian Huang
2025-02-17 7:01 ` [PATCH for-next 3/4] RDMA/hns: Fix HW doorbell " Junxian Huang
2025-02-17 7:01 ` [PATCH for-next 4/4] Revert "RDMA/hns: Do not destroy QP resources in the hw resetting phase" Junxian Huang
2025-02-19 12:14 ` [PATCH for-next 0/4] RDMA/hns: Introduce delay-destruction mechanism Leon Romanovsky
2025-02-19 13:07 ` Junxian Huang [this message]
2025-02-19 14:35 ` Leon Romanovsky
2025-02-20 3:48 ` Junxian Huang
2025-02-20 7:32 ` Leon Romanovsky
2025-02-20 8:45 ` Junxian Huang
2025-02-20 9:08 ` Leon Romanovsky
2025-02-20 11:05 ` Junxian Huang
2025-02-20 14:13 ` Jason Gunthorpe
2025-02-26 9:38 ` Junxian Huang
2025-02-20 14:10 ` Jason Gunthorpe
2025-02-26 9:46 ` Junxian Huang
2025-02-26 12:47 ` Leon Romanovsky
2025-02-26 14:25 ` Junxian Huang
2025-03-18 3:23 ` Junxian Huang
2025-03-18 9:55 ` Leon Romanovsky
2025-04-01 13:39 ` Jason Gunthorpe
2025-04-02 5:50 ` Junxian Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb0a621e-78e1-c030-f8f6-e175978acf0f@hisilicon.com \
--to=huangjunxian6@hisilicon.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=tangchengchang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox