Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751504AbdFEJht (ORCPT <rfc822;w@1wt.eu>);
        Mon, 5 Jun 2017 05:37:49 -0400
Received: from m12-13.163.com ([220.181.12.13]:43729 "EHLO m12-13.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751295AbdFEJhr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Jun 2017 05:37:47 -0400
From: Jia-Ju Bai <baijiaju1990@163.com>
To: monis@mellanox.com, sean.hefty@intel.com, dledford@redhat.com,
        hal.rosenstock@gmail.com, yuval.shaia@oracle.com
Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@163.com>
Subject: [PATCH V4] rxe: Fix a sleep-in-atomic bug in post_one_send
Date: Mon,  5 Jun 2017 17:39:48 +0800
Message-Id: <1496655588-5598-1-git-send-email-baijiaju1990@163.com>
X-Mailer: git-send-email 1.7.9.5
X-CM-TRANSID: DcCowAAnLkpPJjVZodlnIQ--.28520S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7ZFy8Zw4UtF17Aw1UWF4xtFb_yoW8Gry8pa
        1rGwnIkr1fJFW2v3WDAF4F9rWfA397Z3y5KF9rX3s3ZF1jgryj9rn3Ka4I9FykGF97WF1I
        qa1jyrZ8C3W5CFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UceOXUUUUU=
X-Originating-IP: [166.111.70.19]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiTRPtelc69cdRDQAAsK
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1364
Lines: 45

The driver may sleep under a spin lock, and the function call path is:
post_one_send (acquire the lock by spin_lock_irqsave)
  init_send_wqe
    copy_from_user --> may sleep

There is no flow that makes "qp->is_user" true, and copy_from_user may 
cause bug when a non-user pointer is used. So, the line of copy_from_user
is removed.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
V4:
* Remove the line of copy_from_user.

V3:
* It corrects the mistakes of remaining legacy code in V2.
  (Thank Ram for pointing it out)

V2:
* The parameter "flags" is added to restore and save the irq status.
  Thank Leon for good advice.
---
 drivers/infiniband/sw/rxe/rxe_verbs.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index 83d709e..7c52c7c 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -740,11 +740,7 @@ static int init_send_wqe(struct rxe_qp *qp, struct ib_send_wr *ibwr,
 
 		sge = ibwr->sg_list;
 		for (i = 0; i < num_sge; i++, sge++) {
-			if (qp->is_user && copy_from_user(p, (__user void *)
-					    (uintptr_t)sge->addr, sge->length))
-				return -EFAULT;
-
-			else if (!qp->is_user)
+			if (!qp->is_user)
 				memcpy(p, (void *)(uintptr_t)sge->addr,
 				       sge->length);
 
-- 
1.7.9.5