From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Mark Zhang <markz@mellanox.com>,
Maor Gottlieb <maorg@mellanox.com>,
Leon Romanovsky <leonro@mellanox.com>,
Jason Gunthorpe <jgg@mellanox.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 43/78] RDMA/cma: Protect bind_list and listen_list while finding matching cm id
Date: Mon, 29 Jun 2020 11:37:31 -0400 [thread overview]
Message-ID: <20200629153806.2494953-44-sashal@kernel.org> (raw)
In-Reply-To: <20200629153806.2494953-1-sashal@kernel.org>
From: Mark Zhang <markz@mellanox.com>
[ Upstream commit 730c8912484186d4623d0c76509066d285c3a755 ]
The bind_list and listen_list must be accessed under a lock, add the
missing locking around the access in cm_ib_id_from_event()
In addition add lockdep asserts to make it clearer what the locking
semantic is here.
general protection fault: 0000 [#1] SMP NOPTI
CPU: 226 PID: 126135 Comm: kworker/226:1 Tainted: G OE 4.12.14-150.47-default #1 SLE15
Hardware name: Cray Inc. Windom/Windom, BIOS 0.8.7 01-10-2020
Workqueue: ib_cm cm_work_handler [ib_cm]
task: ffff9c5a60a1d2c0 task.stack: ffffc1d91f554000
RIP: 0010:cma_ib_req_handler+0x3f1/0x11b0 [rdma_cm]
RSP: 0018:ffffc1d91f557b40 EFLAGS: 00010286
RAX: deacffffffffff30 RBX: 0000000000000001 RCX: ffff9c2af5bb6000
RDX: 00000000000000a9 RSI: ffff9c5aa4ed2f10 RDI: ffffc1d91f557b08
RBP: ffffc1d91f557d90 R08: ffff9c340cc80000 R09: ffff9c2c0f901900
R10: 0000000000000000 R11: 0000000000000001 R12: deacffffffffff30
R13: ffff9c5a48aeec00 R14: ffffc1d91f557c30 R15: ffff9c5c2eea3688
FS: 0000000000000000(0000) GS:ffff9c5c2fa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002b5cc03fa320 CR3: 0000003f8500a000 CR4: 00000000003406e0
Call Trace:
? rdma_addr_cancel+0xa0/0xa0 [ib_core]
? cm_process_work+0x28/0x140 [ib_cm]
cm_process_work+0x28/0x140 [ib_cm]
? cm_get_bth_pkey.isra.44+0x34/0xa0 [ib_cm]
cm_work_handler+0xa06/0x1a6f [ib_cm]
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x40/0x70
? __switch_to+0x7c/0x4b0
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
process_one_work+0x1da/0x400
worker_thread+0x2b/0x3f0
? process_one_work+0x400/0x400
kthread+0x118/0x140
? kthread_create_on_node+0x40/0x40
ret_from_fork+0x22/0x40
Code: 00 66 83 f8 02 0f 84 ca 05 00 00 49 8b 84 24 d0 01 00 00 48 85 c0 0f 84 68 07 00 00 48 2d d0 01
00 00 49 89 c4 0f 84 59 07 00 00 <41> 0f b7 44 24 20 49 8b 77 50 66 83 f8 0a 75 9e 49 8b 7c 24 28
Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM")
Link: https://lore.kernel.org/r/20200616104304.2426081-1-leon@kernel.org
Signed-off-by: Mark Zhang <markz@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cma.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index d901591db9c8e..6e8af2b914929 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1482,6 +1482,8 @@ static struct rdma_id_private *cma_find_listener(
{
struct rdma_id_private *id_priv, *id_priv_dev;
+ lockdep_assert_held(&lock);
+
if (!bind_list)
return ERR_PTR(-EINVAL);
@@ -1530,6 +1532,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id,
}
}
+ mutex_lock(&lock);
/*
* Net namespace might be getting deleted while route lookup,
* cm_id lookup is in progress. Therefore, perform netdevice
@@ -1571,6 +1574,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id,
id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev);
err:
rcu_read_unlock();
+ mutex_unlock(&lock);
if (IS_ERR(id_priv) && *net_dev) {
dev_put(*net_dev);
*net_dev = NULL;
@@ -2287,6 +2291,8 @@ static void cma_listen_on_dev(struct rdma_id_private *id_priv,
struct net *net = id_priv->id.route.addr.dev_addr.net;
int ret;
+ lockdep_assert_held(&lock);
+
if (cma_family(id_priv) == AF_IB && !rdma_cap_ib_cm(cma_dev->device, 1))
return;
@@ -2993,6 +2999,8 @@ static void cma_bind_port(struct rdma_bind_list *bind_list,
u64 sid, mask;
__be16 port;
+ lockdep_assert_held(&lock);
+
addr = cma_src_addr(id_priv);
port = htons(bind_list->port);
@@ -3021,6 +3029,8 @@ static int cma_alloc_port(enum rdma_port_space ps,
struct rdma_bind_list *bind_list;
int ret;
+ lockdep_assert_held(&lock);
+
bind_list = kzalloc(sizeof *bind_list, GFP_KERNEL);
if (!bind_list)
return -ENOMEM;
@@ -3047,6 +3057,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list,
struct sockaddr *saddr = cma_src_addr(id_priv);
__be16 dport = cma_port(daddr);
+ lockdep_assert_held(&lock);
+
hlist_for_each_entry(cur_id, &bind_list->owners, node) {
struct sockaddr *cur_daddr = cma_dst_addr(cur_id);
struct sockaddr *cur_saddr = cma_src_addr(cur_id);
@@ -3086,6 +3098,8 @@ static int cma_alloc_any_port(enum rdma_port_space ps,
unsigned int rover;
struct net *net = id_priv->id.route.addr.dev_addr.net;
+ lockdep_assert_held(&lock);
+
inet_get_local_port_range(net, &low, &high);
remaining = (high - low) + 1;
rover = prandom_u32() % remaining + low;
@@ -3133,6 +3147,8 @@ static int cma_check_port(struct rdma_bind_list *bind_list,
struct rdma_id_private *cur_id;
struct sockaddr *addr, *cur_addr;
+ lockdep_assert_held(&lock);
+
addr = cma_src_addr(id_priv);
hlist_for_each_entry(cur_id, &bind_list->owners, node) {
if (id_priv == cur_id)
@@ -3163,6 +3179,8 @@ static int cma_use_port(enum rdma_port_space ps,
unsigned short snum;
int ret;
+ lockdep_assert_held(&lock);
+
snum = ntohs(cma_port(cma_src_addr(id_priv)));
if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
return -EACCES;
--
2.25.1
next prev parent reply other threads:[~2020-06-29 19:27 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-29 15:36 [PATCH 4.14 00/78] 4.14.186-rc1 review Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 01/78] scsi: scsi_devinfo: handle non-terminated strings Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 02/78] net: be more gentle about silly gso requests coming from user Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 03/78] block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 04/78] net: sched: export __netdev_watchdog_up() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 05/78] fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()" Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 06/78] apparmor: don't try to replace stale label in ptraceme check Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 07/78] ibmveth: Fix max MTU limit Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 08/78] mld: fix memory leak in ipv6_mc_destroy_dev() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 09/78] net: bridge: enfore alignment for ethernet address Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 10/78] net: fix memleak in register_netdevice() Sasha Levin
2020-06-29 15:36 ` [PATCH 4.14 11/78] net: usb: ax88179_178a: fix packet alignment padding Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 12/78] rocker: fix incorrect error handling in dma_rings_init Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 13/78] rxrpc: Fix notification call on completion of discarded calls Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 14/78] sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 15/78] tcp: grow window for OOO packets only for SACK flows Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 16/78] tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 17/78] ip_tunnel: fix use-after-free in ip_tunnel_lookup() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 18/78] tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 19/78] ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 20/78] net: Fix the arp error in some cases Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 21/78] net: Do not clear the sock TX queue in sk_set_socket() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 22/78] net: core: reduce recursion limit value Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 23/78] USB: ohci-sm501: Add missed iounmap() in remove Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 24/78] usb: dwc2: Postponed gadget registration to the udc class driver Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 25/78] usb: add USB_QUIRK_DELAY_INIT for Logitech C922 Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 26/78] USB: ehci: reopen solution for Synopsys HC bug Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 27/78] usb: host: xhci-mtk: avoid runtime suspend when removing hcd Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 28/78] usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 29/78] ALSA: usb-audio: add quirk for Denon DCD-1500RE Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 30/78] xhci: Fix incorrect EP_STATE_MASK Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 31/78] xhci: Fix enumeration issue when setting max packet size for FS devices Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 32/78] cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 33/78] loop: replace kill_bdev with invalidate_bdev Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 34/78] ALSA: usb-audio: uac1: Invalidate ctl on interrupt Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 35/78] ALSA: usb-audio: Clean up mixer element list traverse Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 36/78] ALSA: usb-audio: Fix OOB access of mixer element list Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 37/78] xhci: Poll for U0 after disabling USB2 LPM Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 38/78] cifs/smb3: Fix data inconsistent when punch hole Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 39/78] cifs/smb3: Fix data inconsistent when zero file range Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 40/78] efi/esrt: Fix reference count leak in esre_create_sysfs_entry Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 41/78] ARM: dts: NSP: Correct FA2 mailbox node Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 42/78] rxrpc: Fix handling of rwind from an ACK packet Sasha Levin
2020-06-29 15:37 ` Sasha Levin [this message]
2020-06-29 15:37 ` [PATCH 4.14 44/78] ASoC: rockchip: Fix a reference count leak Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 45/78] RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 46/78] net: qed: fix left elements count calculation Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 47/78] net: qed: fix NVMe login fails over VFs Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 48/78] net: qed: fix excessive QM ILT lines consumption Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 49/78] ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 50/78] usb: gadget: udc: Potential Oops in error handling code Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 51/78] netfilter: ipset: fix unaligned atomic access Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 52/78] net: bcmgenet: use hardware padding of runt frames Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 53/78] sched/core: Fix PI boosting between RT and DEADLINE tasks Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 54/78] ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 55/78] net: alx: fix race condition in alx_remove Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 56/78] s390/ptrace: fix setting syscall number Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 57/78] kbuild: improve cc-option to clean up all temporary files Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 58/78] blktrace: break out of blktrace setup on concurrent calls Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 59/78] ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 60/78] ACPI: sysfs: Fix pm_profile_attr type Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 61/78] KVM: X86: Fix MSR range of APIC registers in X2APIC mode Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 62/78] KVM: nVMX: Plumb L2 GPA through to PML emulation Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 63/78] btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 64/78] mm/slab: use memzero_explicit() in kzfree() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 65/78] ocfs2: load global_inode_alloc Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 66/78] ocfs2: fix value of OCFS2_INVALID_SLOT Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 67/78] ocfs2: fix panic on nfs server over ocfs2 Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 68/78] arm64: perf: Report the PC value in REGS_ABI_32 mode Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 69/78] tracing: Fix event trigger to accept redundant spaces Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 70/78] drm/radeon: fix fb_div check in ni_init_smc_spll_table() Sasha Levin
2020-06-29 15:37 ` [PATCH 4.14 71/78] Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 72/78] sunrpc: fixed rollback in rpc_gssd_dummy_populate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 73/78] SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 74/78] pNFS/flexfiles: Fix list corruption if the mirror count changes Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 75/78] NFSv4 fix CLOSE not waiting for direct IO compeletion Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 76/78] ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 77/78] xfs: add agf freeblocks verify in xfs_agf_verify Sasha Levin
2020-06-29 15:38 ` [PATCH 4.14 78/78] Linux 4.14.186-rc1 Sasha Levin
2020-06-30 7:19 ` [PATCH 4.14 00/78] 4.14.186-rc1 review Naresh Kamboju
2020-06-30 9:20 ` Jon Hunter
2020-06-30 13:08 ` Sebastian Gottschall
2020-06-30 17:21 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200629153806.2494953-44-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jgg@mellanox.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maorg@mellanox.com \
--cc=markz@mellanox.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).