[PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue

linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
@ 2020-06-09 12:54 m.malygin
  2020-07-14 19:59 ` Jason Gunthorpe
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
  0 siblings, 2 replies; 9+ messages in thread
From: m.malygin @ 2020-06-09 12:54 UTC (permalink / raw)
  To: linux-rdma; +Cc: s.kojushev, linux, Mikhail Malygin

From: Mikhail Malygin <m.malygin@yadro.com>

rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
However it we've got an interrupt after last wr is posted, control may be returned
to the code after send completion callback is executed and wr memory is freed.
As a result, wr->next pointer may contain incorrect value leading to panic.

Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
---
 drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index b8a22af724e8..a539b11b4f9b 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 	unsigned int mask;
 	unsigned int length = 0;
 	int i;
+	struct ib_send_wr *next;
 
 	while (wr) {
 		mask = wr_opcode_mask(wr->opcode, qp);
@@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			break;
 		}
 
+		next = READ_ONCE(wr->next);
+
 		length = 0;
 		for (i = 0; i < wr->num_sge; i++)
 			length += wr->sg_list[i].length;
@@ -710,7 +713,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			*bad_wr = wr;
 			break;
 		}
-		wr = wr->next;
+		wr = next;
 	}
 
 	rxe_run_task(&qp->req.task, 1);
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
@ 2020-07-14 19:59 ` Jason Gunthorpe
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
  1 sibling, 0 replies; 9+ messages in thread
From: Jason Gunthorpe @ 2020-07-14 19:59 UTC (permalink / raw)
  To: m.malygin; +Cc: linux-rdma, s.kojushev, linux

On Tue, Jun 09, 2020 at 03:54:12PM +0300, m.malygin@yadro.com wrote:
> From: Mikhail Malygin <m.malygin@yadro.com>
> 
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
> 
> Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
> Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
>  drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
> index b8a22af724e8..a539b11b4f9b 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
> @@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
>  	unsigned int mask;
>  	unsigned int length = 0;
>  	int i;
> +	struct ib_send_wr *next;
>  
>  	while (wr) {
>  		mask = wr_opcode_mask(wr->opcode, qp);
> @@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
>  			break;
>  		}
>  
> +		next = READ_ONCE(wr->next);

Why is this READ_ONCE? The wr list at this point cannot be allowed to
change

Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH v2] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
  2020-07-14 19:59 ` Jason Gunthorpe
@ 2020-07-16 19:03 ` m.malygin
  2020-07-16 19:17   ` Jason Gunthorpe
  1 sibling, 1 reply; 9+ messages in thread
From: m.malygin @ 2020-07-16 19:03 UTC (permalink / raw)
  To: linux-rdma; +Cc: linux, jgg, Mikhail Malygin, Sergey Kojushev

From: Mikhail Malygin <m.malygin@yadro.com>

rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
However it we've got an interrupt after last wr is posted, control may be returned
to the code after send completion callback is executed and wr memory is freed.
As a result, wr->next pointer may contain incorrect value leading to panic.

Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
---
 drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index b8a22af724e8..84fec5fd798d 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 	unsigned int mask;
 	unsigned int length = 0;
 	int i;
+	struct ib_send_wr *next;
 
 	while (wr) {
 		mask = wr_opcode_mask(wr->opcode, qp);
@@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			break;
 		}
 
+		next = wr->next;
+
 		length = 0;
 		for (i = 0; i < wr->num_sge; i++)
 			length += wr->sg_list[i].length;
@@ -710,7 +713,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
 			*bad_wr = wr;
 			break;
 		}
-		wr = wr->next;
+		wr = next;
 	}
 
 	rxe_run_task(&qp->req.task, 1);
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [PATCH v2] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-16 19:03 ` [PATCH v2] " m.malygin
@ 2020-07-16 19:17   ` Jason Gunthorpe
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Gunthorpe @ 2020-07-16 19:17 UTC (permalink / raw)
  To: m.malygin; +Cc: linux-rdma, linux, Sergey Kojushev

On Thu, Jul 16, 2020 at 10:03:41PM +0300, m.malygin@yadro.com wrote:
> From: Mikhail Malygin <m.malygin@yadro.com>
> 
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
> 
> Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
> Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
> ---
>  drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Applied to for-next, thanks

Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re:  [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
@ 2020-07-15  8:57 Mikhail Malygin
  2020-07-15 11:37 ` Jason Gunthorpe
  0 siblings, 1 reply; 9+ messages in thread
From: Mikhail Malygin @ 2020-07-15  8:57 UTC (permalink / raw)
  To: Jason Gunthorpe; +Cc: linux-rdma, Sergey Kojushev, linux

> Why is this READ_ONCE? The wr list at this point cannot be allowed to
> change
> 
> Jason

The idea behind this READ_ONCE was to make sure read of wr->next happens before post_send_one(), as there is no data dependency between post_send_one and read of wr->next. However I’m not 100% sure this is necessary here.

Mikhail

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-15  8:57 [PATCH] " Mikhail Malygin
@ 2020-07-15 11:37 ` Jason Gunthorpe
  2020-07-15 12:18   ` Mikhail Malygin
  0 siblings, 1 reply; 9+ messages in thread
From: Jason Gunthorpe @ 2020-07-15 11:37 UTC (permalink / raw)
  To: Mikhail Malygin; +Cc: linux-rdma, Sergey Kojushev, linux

On Wed, Jul 15, 2020 at 08:57:40AM +0000, Mikhail Malygin wrote:
> 
> > Why is this READ_ONCE? The wr list at this point cannot be allowed to
> > change
> > 
> > Jason
> 
> The idea behind this READ_ONCE was to make sure read of wr->next
> happens before post_send_one(), as there is no data dependency
> between post_send_one and read of wr->next. However I’m not 100%
> sure this is necessary here.

The spinock in post_one_send() guarantees no reordering across
post_one_send()

Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-15 11:37 ` Jason Gunthorpe
@ 2020-07-15 12:18   ` Mikhail Malygin
  2020-07-16  3:17     ` Zhu Yanjun
  0 siblings, 1 reply; 9+ messages in thread
From: Mikhail Malygin @ 2020-07-15 12:18 UTC (permalink / raw)
  To: Jason Gunthorpe; +Cc: linux-rdma, Sergey Kojushev, linux

Thanks, I’ll post an updated version.

Mikhail

> On 15 Jul 2020, at 14:37, Jason Gunthorpe <jgg@nvidia.com> wrote:
> 
> The spinock in post_one_send() guarantees no reordering across
> post_one_send()
> 
> Jason


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-15 12:18   ` Mikhail Malygin
@ 2020-07-16  3:17     ` Zhu Yanjun
  2020-07-16 11:41       ` Jason Gunthorpe
  0 siblings, 1 reply; 9+ messages in thread
From: Zhu Yanjun @ 2020-07-16  3:17 UTC (permalink / raw)
  To: Mikhail Malygin; +Cc: Jason Gunthorpe, linux-rdma, Sergey Kojushev, linux

On Wed, Jul 15, 2020 at 8:39 PM Mikhail Malygin <m.malygin@yadro.com> wrote:
>
> Thanks, I’ll post an updated version.
>
> Mikhail
>
> > On 15 Jul 2020, at 14:37, Jason Gunthorpe <jgg@nvidia.com> wrote:
> >
> > The spinock in post_one_send() guarantees no reordering across

How about spin_lock_irqsave?

Zhu Yanjun

> > post_one_send()
> >
> > Jason
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
  2020-07-16  3:17     ` Zhu Yanjun
@ 2020-07-16 11:41       ` Jason Gunthorpe
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Gunthorpe @ 2020-07-16 11:41 UTC (permalink / raw)
  To: Zhu Yanjun; +Cc: Mikhail Malygin, linux-rdma, Sergey Kojushev, linux

On Thu, Jul 16, 2020 at 11:17:09AM +0800, Zhu Yanjun wrote:
> On Wed, Jul 15, 2020 at 8:39 PM Mikhail Malygin <m.malygin@yadro.com> wrote:
> >
> > Thanks, I’ll post an updated version.
> >
> > Mikhail
> >
> > > On 15 Jul 2020, at 14:37, Jason Gunthorpe <jgg@nvidia.com> wrote:
> > >
> > > The spinock in post_one_send() guarantees no reordering across
> 
> How about spin_lock_irqsave?

The unlock of any lock prevents store reordering by definition

Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2020-07-16 19:17 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
2020-07-14 19:59 ` Jason Gunthorpe
2020-07-16 19:03 ` [PATCH v2] " m.malygin
2020-07-16 19:17   ` Jason Gunthorpe
2020-07-15  8:57 [PATCH] " Mikhail Malygin
2020-07-15 11:37 ` Jason Gunthorpe
2020-07-15 12:18   ` Mikhail Malygin
2020-07-16  3:17     ` Zhu Yanjun
2020-07-16 11:41       ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).