Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3001946imu; Sun, 9 Dec 2018 14:48:44 -0800 (PST) X-Google-Smtp-Source: AFSGD/UEeV5guvcw7hdRrB8UXM9CYVAncwF4BCBTM7up0+lyVy0jtZfuvEouP/SX1Dj7aBTZsXg8 X-Received: by 2002:a17:902:9305:: with SMTP id bc5mr9829685plb.86.1544395724091; Sun, 09 Dec 2018 14:48:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544395724; cv=none; d=google.com; s=arc-20160816; b=iczrJri3sOLyipttY93e4VrQ1GttZz2JGmqFqgkZT6Cs5UpbeTFdVffZSQINzGTZFK fjV53sTXx/Zf0pDiNIs9gi73UeEBomBuJ43i280Bvl9ANs8bGvM7WpSNZKnlPz26QJPd Al4y+IXXS5uKP3ImqlxY7c0qYsTKYNRjeWAsckekCxVty8sJCSb2qG+K8mM7BYIuUZz4 aAaYxse59Ak0Ls82KyB2Pn77P/fw0h9swYvCmtpg1x4K0kB2hSgHA9ufIxmAoFvTk+a4 IkQ+0vTn2MQdKHPob56y5q2VhaErshsvQBWm0BmM/VZKjwIFv+0A6OKkzBIfia5W1hnu H2MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=OEe137VefO5nmsiRRSdR/1sgXb7mD3ldNj29bS6ioD8=; b=vHDuNd6nBn04nxlF5IXKKJviZtP4hbqMrZa1HA50f96tCJxL5N4sBTDAEiJz9L8gSB xLdk0mI19YyMcX3+OYjq6833nmYiIjQ5PJtyX6m0XoTNstnd3hdinsxcvEltMmQENlB9 0InpYPXoQcN5mDoweayxaHqX9F+1g19Y/MqIy9SU8Oj+dX+2ZMhlkHM/AWVAgH1L7h56 t/hQcz7LGp5k3wk4NDIIhcf+UMtfalBL2zIC1GI8R+6omNXuMJYWEZ3hMCYfUsUIFOvv 7fnhQ8cVqWeQY6OzDC8iME2Jv1QwdSZv2QinzulPzjwr1EjahoBHxeVGFPj4f0az8wBR AmFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh12si8506376plb.353.2018.12.09.14.48.28; Sun, 09 Dec 2018 14:48:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727032AbeLIV71 (ORCPT + 99 others); Sun, 9 Dec 2018 16:59:27 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36186 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726742AbeLIVzi (ORCPT ); Sun, 9 Dec 2018 16:55:38 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW730-0002ih-Rj; Sun, 09 Dec 2018 21:55:35 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72h-0003Y7-70; Sun, 09 Dec 2018 21:55:15 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Leon Romanovsky" , "Dennis Dalessandro" , "Daniel Jurgens" , "Jason Gunthorpe" , "Parav Pandit" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 223/328] RDMA/cma: Protect cma dev list with lock In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Parav Pandit commit 954a8e3aea87e896e320cf648c1a5bbe47de443e upstream. When AF_IB addresses are used during rdma_resolve_addr() a lock is not held. A cma device can get removed while list traversal is in progress which may lead to crash. ie CPU0 CPU1 ==== ==== rdma_resolve_addr() cma_resolve_ib_dev() list_for_each() cma_remove_one() cur_dev->device mutex_lock(&lock) list_del(); mutex_unlock(&lock); cma_process_remove(); Therefore, hold a lock while traversing the list which avoids such situation. Fixes: f17df3b0dede ("RDMA/cma: Add support for AF_IB to rdma_resolve_addr()") Signed-off-by: Parav Pandit Reviewed-by: Daniel Jurgens Signed-off-by: Leon Romanovsky Reviewed-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Ben Hutchings --- drivers/infiniband/core/cma.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -434,6 +434,7 @@ static int cma_resolve_ib_dev(struct rdm dgid = (union ib_gid *) &addr->sib_addr; pkey = ntohs(addr->sib_pkey); + mutex_lock(&lock); list_for_each_entry(cur_dev, &dev_list, list) { if (rdma_node_get_transport(cur_dev->device->node_type) != RDMA_TRANSPORT_IB) continue; @@ -455,18 +456,19 @@ static int cma_resolve_ib_dev(struct rdm cma_dev = cur_dev; sgid = gid; id_priv->id.port_num = p; + goto found; } } } } - - if (!cma_dev) - return -ENODEV; + mutex_unlock(&lock); + return -ENODEV; found: cma_attach_to_dev(id_priv, cma_dev); - addr = (struct sockaddr_ib *) cma_src_addr(id_priv); - memcpy(&addr->sib_addr, &sgid, sizeof sgid); + mutex_unlock(&lock); + addr = (struct sockaddr_ib *)cma_src_addr(id_priv); + memcpy(&addr->sib_addr, &sgid, sizeof(sgid)); cma_translate_ib(addr, &id_priv->id.route.addr.dev_addr); return 0; }