From: Guoqing Jiang <guoqing.jiang@linux.dev>
To: "Zhijian Li (Fujitsu)" <lizhijian@fujitsu.com>,
"haris.iqbal@ionos.com" <haris.iqbal@ionos.com>,
"jinpu.wang@ionos.com" <jinpu.wang@ionos.com>,
"jgg@ziepe.ca" <jgg@ziepe.ca>,
"leon@kernel.org" <leon@kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH for-next 3/3] RDMA/rtrs: Avoid use-after-free in rtrs_clt_rdma_cm_handler
Date: Wed, 12 Apr 2023 09:15:01 +0800 [thread overview]
Message-ID: <e22e7963-2077-45b8-97c8-8eef07862ef4@linux.dev> (raw)
In-Reply-To: <1e1c082c-0c94-6594-d02c-9f7fbab80b0b@fujitsu.com>
On 4/11/23 09:33, Zhijian Li (Fujitsu) wrote:
>
>>> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> index 4c8f42e46e2f..760a7eb51297 100644
>>> --- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> +++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
>>> @@ -2074,6 +2074,7 @@ static int create_cm(struct rtrs_clt_con *con)
>>> rtrs_err(s, "Failed to resolve address, err: %d\n", err);
>>> goto destroy_cm;
>>> }
>>> +again:
>>> /*
>>> * Combine connection status and session events. This is needed
>>> * for waiting two possible cases: cm_err has something meaningful
>>> @@ -2083,10 +2084,15 @@ static int create_cm(struct rtrs_clt_con *con)
>>> clt_path->state_wq,
>>> con->cm_err || clt_path->state != RTRS_CLT_CONNECTING,
>>> msecs_to_jiffies(RTRS_CONNECT_TIMEOUT_MS));
>>> - if (err == 0 || err == -ERESTARTSYS) {
>>> - if (err == 0)
>>> - err = -ETIMEDOUT;
>>> - /* Timedout or interrupted */
>>> + if (err == -ERESTARTSYS) {
>>> + /* interrupted,
>>> + * try again to avoid the in-flight rtrs_clt_rdma_cm_handler()
>>> + * getting a use-after-free
>>> + */
>>> + goto again;
>>> + } else if (err == 0) {
>>> + err = -ETIMEDOUT;
>>> + /* Timedout */
>>> goto errr;
>>> }
>> Can event handler still be triggered in case of timeout?
> I have never hit such race.
But it is still possible with the theory.
>> And I guess either stop_cm -> rdma_disconnect or destroy_cm -> rdma_destroy_id
>> should prevent this kind of racy issue.
> In practice, they are possible that rtrs_clt_rdma_cm_handler() is in-flight during
> 'either stop_cm -> rdma_disconnect or destroy_cm -> rdma_destroy_id'. rtrs_clt_rdma_cm_handler() and
> cm's cleanup path need to hold mutex_lock(&con->con_mutex), once cm's cleanup path get this lock first
> rtrs_clt_rdma_cm_handler has to sleep, when rtrs_clt_rdma_cm_handler is wakeup again, some resources has been
> freed by cm's cleanup path.
First, stop_cm doesn't need to hold &con->con_mutex. But
rtrs_clt_rdma_cm_handler
is called from rdma core layer which need id_priv->handler_mutexinstead
of con_mutex
I thinnk. Also RTRS has similar behavior as nvme host rdma, ib_srp and
iser_verb.
@Jinpu/Haris, can we move destroy_cm right after stop_cm?*
*Thanks,
Guoqing
prev parent reply other threads:[~2023-04-12 1:15 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-10 6:43 [PATCH for-next 0/3] rtrs bugfix and cleanups Li Zhijian
2023-04-10 6:43 ` [PATCH for-next 1/3] RDMA/rtrs: Remove duplicate cq_num assignment Li Zhijian
2023-04-10 13:09 ` Guoqing Jiang
2023-04-19 10:37 ` Jinpu Wang
2023-04-10 6:43 ` [PATCH for-next 2/3] RDMA/rtrs: Fix rxe_dealloc_pd warning Li Zhijian
2023-04-10 12:08 ` Leon Romanovsky
2023-04-10 13:10 ` Guoqing Jiang
2023-04-11 2:43 ` Zhijian Li (Fujitsu)
2023-04-11 12:26 ` Leon Romanovsky
2023-04-12 1:15 ` Zhijian Li (Fujitsu)
2023-04-13 7:35 ` Guoqing Jiang
2023-04-13 8:12 ` Zhijian Li (Fujitsu)
2023-04-13 13:24 ` Leon Romanovsky
2023-04-14 15:58 ` Zhu Yanjun
2023-04-17 2:18 ` Zhijian Li (Fujitsu)
2023-04-17 18:04 ` Leon Romanovsky
2023-04-18 7:04 ` Zhijian Li (Fujitsu)
2023-04-18 7:57 ` Leon Romanovsky
2023-04-19 9:53 ` Zhijian Li (Fujitsu)
2023-04-19 13:20 ` Jinpu Wang
2023-04-20 2:00 ` Zhijian Li (Fujitsu)
2023-04-21 1:38 ` Zhijian Li (Fujitsu)
2023-04-21 6:49 ` Zhijian Li (Fujitsu)
2023-04-21 7:05 ` Jinpu Wang
2023-04-14 3:40 ` Guoqing Jiang
2023-04-14 4:25 ` Bob Pearson
2023-04-14 5:37 ` Zhijian Li (Fujitsu)
2023-04-14 6:03 ` Jinpu Wang
2023-04-14 6:47 ` Zhijian Li (Fujitsu)
2023-04-14 6:04 ` Guoqing Jiang
2023-04-14 10:09 ` Zhijian Li (Fujitsu)
2023-04-17 3:08 ` Guoqing Jiang
2023-04-18 6:47 ` Zhijian Li (Fujitsu)
2023-04-10 6:43 ` [PATCH for-next 3/3] RDMA/rtrs: Avoid use-after-free in rtrs_clt_rdma_cm_handler Li Zhijian
2023-04-10 12:10 ` Leon Romanovsky
2023-04-10 13:13 ` Guoqing Jiang
2023-04-11 1:33 ` Zhijian Li (Fujitsu)
2023-04-12 1:15 ` Guoqing Jiang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e22e7963-2077-45b8-97c8-8eef07862ef4@linux.dev \
--to=guoqing.jiang@linux.dev \
--cc=haris.iqbal@ionos.com \
--cc=jgg@ziepe.ca \
--cc=jinpu.wang@ionos.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lizhijian@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox