Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2970565imu; Sun, 9 Dec 2018 13:58:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/Wf1XyOv/HOuj+0Bbmbmb20W+KfkWG24+sW30a3uxv3pVY7V8+ZvqW4BENx9GdvA5wH3IMV X-Received: by 2002:a17:902:ab84:: with SMTP id f4mr9620912plr.207.1544392721095; Sun, 09 Dec 2018 13:58:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544392721; cv=none; d=google.com; s=arc-20160816; b=GJOoAXSX7SsyOyxPpfWnY4TGgjWvhdIAQ6S5wF1oUTIe1wnb6ZtKSOU5AuSzgOiaI3 1zt6wI6+SqMon4Zi8aLoOWxTGMGQ7kJ7JGvjQDcl3ggZygWkflKohuJwXObcmdnGHFyO PU1IhfmBYDNXpNHDDVJuszmErAHPmChOVGsSGRGE7E+C+3x3kMUrQA4OVC7RtRihYgTy RX0hGfh3GdPcZ2WD6SKlUx4f/8wzlKfBK99F3g/nUDe2ZspvJ5klRAF2kQKRPumJHFGR zVUkn+mgDoB/zztxbk2esTt+oDfTNcOruf3uyp7v2tS3lSDvl9hwYUuJk9Vwqc6l9tdw aLiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=Ml7xdx61/QeWgD+6mrVytOoUhBYKr0EQDzm0ww2buQU=; b=So+bd3bBQi5dRl3epRArksYXDzt2++QeMFXZnaEO4IyYk4ll9HtEa0gPyf79zp0nuQ EKEFIUpImiYsy+2q9nk4MLlUTCMtO2TlhJY6YMBOGM7GtvRjcHO5fYTKBGaUwj/cLwq9 KHdE/RiGIolGrsUSKWLQYUzX4ZZv77iuUg9CXwO/5vuDahR2Fi8SBmwkbCXiGTHjNyIG pNuRZ48BNOR04p/YxjX9d80YHSTq9zIXlbq3+ynU5LV7PoduNLsXxKbC1Vusovxwsyx/ a4GLJADVH8rKEPhxY34hfQqa/9JCNS+IlCw2O0PJX4/bJ/Am1x2+zPe+hyaP+6bM/ubt xmfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f34si8294383pgm.318.2018.12.09.13.58.25; Sun, 09 Dec 2018 13:58:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727016AbeLIV5M (ORCPT + 99 others); Sun, 9 Dec 2018 16:57:12 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36456 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726821AbeLIVzo (ORCPT ); Sun, 9 Dec 2018 16:55:44 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW737-0002pr-N9; Sun, 09 Dec 2018 21:55:42 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72f-0003Ts-RT; Sun, 09 Dec 2018 21:55:13 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Steve Wise" , "Jason Gunthorpe" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 194/328] iw_cxgb4: only allow 1 flush on user qps In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Steve Wise commit 308aa2b8f7b7db3332a7d41099fd37851fb793b2 upstream. Once the qp has been flushed, it cannot be flushed again. The user qp flush logic wasn't enforcing it however. The bug can cause touch-after-free crashes like: Unable to handle kernel paging request for data at address 0x000001ec Faulting instruction address: 0xc008000016069100 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4] LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] Call Trace: [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4] [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core] [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core] [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm] [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm] [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm] [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm] [c000000000444da4] __fput+0xe4/0x2f0 So fix flush_qp() to only flush the wq once. Signed-off-by: Steve Wise Signed-off-by: Jason Gunthorpe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/infiniband/hw/cxgb4/qp.c +++ b/drivers/infiniband/hw/cxgb4/qp.c @@ -1133,6 +1133,12 @@ static void flush_qp(struct c4iw_qp *qhp schp = to_c4iw_cq(qhp->ibqp.send_cq); if (qhp->ibqp.uobject) { + + /* for user qps, qhp->wq.flushed is protected by qhp->mutex */ + if (qhp->wq.flushed) + return; + + qhp->wq.flushed = 1; t4_set_wq_in_error(&qhp->wq); t4_set_cq_in_error(&rchp->cq); spin_lock_irqsave(&rchp->comp_handler_lock, flag);