Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1778401imm; Thu, 27 Sep 2018 02:18:48 -0700 (PDT) X-Google-Smtp-Source: ACcGV60Mf52fP3C7Y+ldZHcepw4Bqlg29SidwAJCwaBMEUnUCfCMK6D3+O6aRH1euoO3KgPeditx X-Received: by 2002:a65:65c6:: with SMTP id y6-v6mr9049128pgv.233.1538039928372; Thu, 27 Sep 2018 02:18:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538039928; cv=none; d=google.com; s=arc-20160816; b=c3QKdpFfdHZvLLYXwgGsHALld8hQ31T1ogcbM4+Hwfn0wYbJjkw7m3JfyISDbgNxmT zrrLhPoeRNPy9PRPBhyVV5RtwMe7NyUVCGY6x/xreOiN0H6T5J352Acld6CLjfWaReXQ jNzdkPGihq82rQ/ersLqW8ZMcjWAI+9gZ4MVZspwlm6qU98rmBglFmSfqveT1bJ1RiP6 QPuU6ryfZtxNkL6QClEwCDBADIwHdhS02mHKe2K37nDXh6fqgZpJhAhUbwFsq9KeX8Du bUCgd8ejuJ85i9jSyHg547J8VotChsv5vU7gwoXKoqu7DO3FPDibIWZRYdQGbYN3ouSz dMqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=LtyHmehKmznXy1aJNJFZY/S5B1WnJ4+cf7j9vfIU83M=; b=IUv2LOGrXDIC1fQodsSLvB6ot76Z+uzYDS4C0Tgkx839LlqYa1mcT4MtHqFMKF3jYq ugmlx8OlnDD8lICEDI37QYfqnQIre+4LEjWhPxSQu2q5OaLC3FHOG0gC3NtpRzfT9Fj+ sR2eMWE/W7A3EYj+rl/FafuUCKC2ljqC2XM7Mn/Yxak5a/aSUGhNkns5WGyI2scgnNtG Vp1B+YnMe914AiNFJzamClPe74M2Tu/AYngz380QQtaSWQtzqfYVrWlaHDkrZmEAUqz+ /2ocLGUXcVCRPm3DjxrpF2UgCw1rFrrECJKym1r+mYIkFLF8IS5OGslC0DhWiJg2PoNs Ediw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z17-v6si1534930pgc.653.2018.09.27.02.18.33; Thu, 27 Sep 2018 02:18:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728276AbeI0Pdp (ORCPT + 99 others); Thu, 27 Sep 2018 11:33:45 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55880 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727271AbeI0Pdo (ORCPT ); Thu, 27 Sep 2018 11:33:44 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 34F661117; Thu, 27 Sep 2018 09:16:26 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Wise , Jason Gunthorpe Subject: [PATCH 4.18 88/88] iw_cxgb4: only allow 1 flush on user qps Date: Thu, 27 Sep 2018 11:04:09 +0200 Message-Id: <20180927090311.287793777@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090300.631426620@linuxfoundation.org> References: <20180927090300.631426620@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steve Wise commit 308aa2b8f7b7db3332a7d41099fd37851fb793b2 upstream. Once the qp has been flushed, it cannot be flushed again. The user qp flush logic wasn't enforcing it however. The bug can cause touch-after-free crashes like: Unable to handle kernel paging request for data at address 0x000001ec Faulting instruction address: 0xc008000016069100 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4] LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] Call Trace: [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4] [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core] [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core] [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm] [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm] [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm] [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm] [c000000000444da4] __fput+0xe4/0x2f0 So fix flush_qp() to only flush the wq once. Cc: stable@vger.kernel.org Signed-off-by: Steve Wise Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/infiniband/hw/cxgb4/qp.c +++ b/drivers/infiniband/hw/cxgb4/qp.c @@ -1388,6 +1388,12 @@ static void flush_qp(struct c4iw_qp *qhp schp = to_c4iw_cq(qhp->ibqp.send_cq); if (qhp->ibqp.uobject) { + + /* for user qps, qhp->wq.flushed is protected by qhp->mutex */ + if (qhp->wq.flushed) + return; + + qhp->wq.flushed = 1; t4_set_wq_in_error(&qhp->wq); t4_set_cq_in_error(&rchp->cq); spin_lock_irqsave(&rchp->comp_handler_lock, flag);