From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-bl2nam02on0127.outbound.protection.outlook.com ([104.47.38.127]:37417 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753155AbeBCSCx (ORCPT ); Sat, 3 Feb 2018 13:02:53 -0500 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Leon Romanovsky , Jason Gunthorpe , Sasha Levin Subject: [PATCH AUTOSEL for 4.14 081/110] RDMA/netlink: Fix locking around __ib_get_device_by_index Date: Sat, 3 Feb 2018 18:01:20 +0000 Message-ID: <20180203180015.29073-81-alexander.levin@microsoft.com> References: <20180203180015.29073-1-alexander.levin@microsoft.com> In-Reply-To: <20180203180015.29073-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Leon Romanovsky [ Upstream commit f8978bd95cf92f869f3d9b34c1b699f49253b8c6 ] Holding locks is mandatory when calling __ib_device_get_by_index, otherwise there are races during the list iteration with device removal. Since the locks are static to device.c, __ib_device_get_by_index can never be called correctly by any user out side the file. Make the function static and provide a safe function that gets the correct locks and returns a kref'd pointer. Fix all callers. Fixes: e5c9469efcb1 ("RDMA/netlink: Add nldev device doit implementation") Fixes: c3f66f7b0052 ("RDMA/netlink: Implement nldev port doit callback") Fixes: 7d02f605f0dc ("RDMA/netlink: Add nldev port dumpit implementation") Reviewed-by: Mark Bloch Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin --- drivers/infiniband/core/core_priv.h | 2 +- drivers/infiniband/core/device.c | 18 ++++++++++++- drivers/infiniband/core/nldev.c | 54 ++++++++++++++++++++++++---------= ---- 3 files changed, 54 insertions(+), 20 deletions(-) diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/= core_priv.h index a1d687a664f8..66f0268f37a6 100644 --- a/drivers/infiniband/core/core_priv.h +++ b/drivers/infiniband/core/core_priv.h @@ -314,7 +314,7 @@ static inline int ib_mad_enforce_security(struct ib_mad= _agent_private *map, } #endif =20 -struct ib_device *__ib_device_get_by_index(u32 ifindex); +struct ib_device *ib_device_get_by_index(u32 ifindex); /* RDMA device netlink */ void nldev_init(void); void nldev_exit(void); diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/dev= ice.c index 84fc32a2c8b3..f65f64cb8455 100644 --- a/drivers/infiniband/core/device.c +++ b/drivers/infiniband/core/device.c @@ -134,7 +134,7 @@ static int ib_device_check_mandatory(struct ib_device *= device) return 0; } =20 -struct ib_device *__ib_device_get_by_index(u32 index) +static struct ib_device *__ib_device_get_by_index(u32 index) { struct ib_device *device; =20 @@ -145,6 +145,22 @@ struct ib_device *__ib_device_get_by_index(u32 index) return NULL; } =20 +/* + * Caller is responsible to return refrerence count by calling put_device(= ) + */ +struct ib_device *ib_device_get_by_index(u32 index) +{ + struct ib_device *device; + + down_read(&lists_rwsem); + device =3D __ib_device_get_by_index(index); + if (device) + get_device(&device->dev); + + up_read(&lists_rwsem); + return device; +} + static struct ib_device *__ib_device_get_by_name(const char *name) { struct ib_device *device; diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nlde= v.c index 2fae850a3eff..4fbb9681f5cf 100644 --- a/drivers/infiniband/core/nldev.c +++ b/drivers/infiniband/core/nldev.c @@ -142,27 +142,34 @@ static int nldev_get_doit(struct sk_buff *skb, struct= nlmsghdr *nlh, =20 index =3D nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]); =20 - device =3D __ib_device_get_by_index(index); + device =3D ib_device_get_by_index(index); if (!device) return -EINVAL; =20 msg =3D nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); - if (!msg) - return -ENOMEM; + if (!msg) { + err =3D -ENOMEM; + goto err; + } =20 nlh =3D nlmsg_put(msg, NETLINK_CB(skb).portid, nlh->nlmsg_seq, RDMA_NL_GET_TYPE(RDMA_NL_NLDEV, RDMA_NLDEV_CMD_GET), 0, 0); =20 err =3D fill_dev_info(msg, device); - if (err) { - nlmsg_free(msg); - return err; - } + if (err) + goto err_free; =20 nlmsg_end(msg, nlh); =20 + put_device(&device->dev); return rdma_nl_unicast(msg, NETLINK_CB(skb).portid); + +err_free: + nlmsg_free(msg); +err: + put_device(&device->dev); + return err; } =20 static int _nldev_get_dumpit(struct ib_device *device, @@ -220,31 +227,40 @@ static int nldev_port_get_doit(struct sk_buff *skb, s= truct nlmsghdr *nlh, return -EINVAL; =20 index =3D nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]); - device =3D __ib_device_get_by_index(index); + device =3D ib_device_get_by_index(index); if (!device) return -EINVAL; =20 port =3D nla_get_u32(tb[RDMA_NLDEV_ATTR_PORT_INDEX]); - if (!rdma_is_port_valid(device, port)) - return -EINVAL; + if (!rdma_is_port_valid(device, port)) { + err =3D -EINVAL; + goto err; + } =20 msg =3D nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); - if (!msg) - return -ENOMEM; + if (!msg) { + err =3D -ENOMEM; + goto err; + } =20 nlh =3D nlmsg_put(msg, NETLINK_CB(skb).portid, nlh->nlmsg_seq, RDMA_NL_GET_TYPE(RDMA_NL_NLDEV, RDMA_NLDEV_CMD_GET), 0, 0); =20 err =3D fill_port_info(msg, device, port); - if (err) { - nlmsg_free(msg); - return err; - } + if (err) + goto err_free; =20 nlmsg_end(msg, nlh); + put_device(&device->dev); =20 return rdma_nl_unicast(msg, NETLINK_CB(skb).portid); + +err_free: + nlmsg_free(msg); +err: + put_device(&device->dev); + return err; } =20 static int nldev_port_get_dumpit(struct sk_buff *skb, @@ -265,7 +281,7 @@ static int nldev_port_get_dumpit(struct sk_buff *skb, return -EINVAL; =20 ifindex =3D nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]); - device =3D __ib_device_get_by_index(ifindex); + device =3D ib_device_get_by_index(ifindex); if (!device) return -EINVAL; =20 @@ -299,7 +315,9 @@ static int nldev_port_get_dumpit(struct sk_buff *skb, nlmsg_end(skb, nlh); } =20 -out: cb->args[0] =3D idx; +out: + put_device(&device->dev); + cb->args[0] =3D idx; return skb->len; } =20 --=20 2.11.0