Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1784361imm; Thu, 27 Sep 2018 02:25:26 -0700 (PDT) X-Google-Smtp-Source: ACcGV60jEMunFRzxWmNDVApZBRegF5yFhHz1od2wkLpF1+cCNwQ9VVWndEH2tLZNC/zRgfDkzKfj X-Received: by 2002:aa7:88d3:: with SMTP id p19-v6mr10528232pfo.160.1538040326668; Thu, 27 Sep 2018 02:25:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538040326; cv=none; d=google.com; s=arc-20160816; b=I5HeR832n5Qq1bwLsoynzcHqTUD/czR42JgsChshUActUTaqrnTBvBgw1gALe8zRWj NH+j5y8K7VfzUphiFYV7wzBa1zcgQUUEjyHFc/NRjCtg8frJuqNbbY6MkeXDXa58KBX3 F3/cUgnKC+wnY7nXv9bSKDEFaq8GhaybG3G2haxR/VmkxS+w1mgjMAE+fxMUw9jPyOe3 rRDXwXaEOi+yIeT08gWyupGsqHRkX9eXn90JqL+vet8kk1D1iHYtqJ+JpHyxquxOIG8X hPngbxkM5jRa4A0MAcSKA3OHF+6lZ8xBaUqNLNPGGyMRdldw+FrVJ+Uipg/6NEWO2ldu 6NmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=5G3d5G1jYVxYKgmlDoBM0M2ZZhwa3kpJUPnZ8R2sYto=; b=ICJx9k1+FW6EVNUFAEXDuxEBu9MfjYzoprwyzYge3dyZEdjd9yOh8gSvuPfeqDgb3L LOVV/uyo5PPEblKyyDNOrBrBhbYHsqn5qsQjjIw1JxHxRBavWTU4WwMfFPYGgVl2s14B yNf9JPHRUm488gFPxniMeTvL13HSGlZkIV/Wb135zZ+ol671y5xzOOPqq7vqXudripyE u6NH2ru8EwGDI36QnbuKQynX3mbL4ZhKYRfKzDnNzPn4EvZ3oq5Bloz4hkOs4e9uM1KL NJiz8CUQbej1ittf5l4e+VyuH7rGR+OG4WljQe5NaLpqggfBQbTrFPnBZNF5a0J7iQGj N2eg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x63-v6si1653444pfb.299.2018.09.27.02.25.11; Thu, 27 Sep 2018 02:25:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727462AbeI0PlA (ORCPT + 99 others); Thu, 27 Sep 2018 11:41:00 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56606 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727263AbeI0Pk7 (ORCPT ); Thu, 27 Sep 2018 11:40:59 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id EEF801113; Thu, 27 Sep 2018 09:23:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Wise , Jason Gunthorpe Subject: [PATCH 4.14 62/64] iw_cxgb4: only allow 1 flush on user qps Date: Thu, 27 Sep 2018 11:04:19 +0200 Message-Id: <20180927090258.353490884@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090249.801943776@linuxfoundation.org> References: <20180927090249.801943776@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steve Wise commit 308aa2b8f7b7db3332a7d41099fd37851fb793b2 upstream. Once the qp has been flushed, it cannot be flushed again. The user qp flush logic wasn't enforcing it however. The bug can cause touch-after-free crashes like: Unable to handle kernel paging request for data at address 0x000001ec Faulting instruction address: 0xc008000016069100 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4] LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] Call Trace: [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4] [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core] [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core] [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm] [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm] [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm] [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm] [c000000000444da4] __fput+0xe4/0x2f0 So fix flush_qp() to only flush the wq once. Cc: stable@vger.kernel.org Signed-off-by: Steve Wise Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/infiniband/hw/cxgb4/qp.c +++ b/drivers/infiniband/hw/cxgb4/qp.c @@ -1395,6 +1395,12 @@ static void flush_qp(struct c4iw_qp *qhp schp = to_c4iw_cq(qhp->ibqp.send_cq); if (qhp->ibqp.uobject) { + + /* for user qps, qhp->wq.flushed is protected by qhp->mutex */ + if (qhp->wq.flushed) + return; + + qhp->wq.flushed = 1; t4_set_wq_in_error(&qhp->wq); t4_set_cq_in_error(&rchp->cq); spin_lock_irqsave(&rchp->comp_handler_lock, flag);