Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp851907yba; Wed, 24 Apr 2019 10:37:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqw/tvPrygVCUnLg3SIlMcFPdZ1Gl++derdTz/kPmAZsRoWJo3S6FDBxrqvevEqAtEkkGcPd X-Received: by 2002:a17:902:900a:: with SMTP id a10mr26615784plp.336.1556127458839; Wed, 24 Apr 2019 10:37:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556127458; cv=none; d=google.com; s=arc-20160816; b=EJUUii/x6RAVfgustZTxwCLcsPsu7TRWDT3yTxx2S021arr/n0GdEvDJcBXXENIJZ4 luuvrkOIY6KdyZNGTI4UGWJ3OUCzb0G3bQYDI3xs0ZsMXWBOcxejF3xGSXkyHKL8T3B0 EUtsAjUKz5KlLmPbGwSKE5T3QbnvCPSmViZmrKbFjahtu3Wjx3zZB8AW+8OP1L3Am8Fo FeHHBQ2GiH5pjl4K3MG8m0cqXkt9UGJfX+I1EwpEFtxdiwTc1J0X4xCfr6tPrW3Gc/4K bMjrMOpnYrEIpYBdl7BmqKSsEJbN4WxuHkkseRYbrMp0wqGnVinU9o9swEC46NS+ukX3 85vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Hx7rHCy9icZW4i02osth0rpPtYbxPKMtBU1+MZcEjbs=; b=M7yE/rZqPj4s1xy+FSR4K2D6JTyg+cziaLajjXEMCX3lQ2qBjdxfcL5NByx4MMp65n biYu/WPQZNyvdIVGOL9O/bmrEu49uo0famS5k6wN5ti6wOrZgrey2+TPwi/Nr16ZQ4Q+ I13RlzWXsd8D0olTNC+X+fb3nAx4JOR87mMxipd7gyBDjRMzm49fp3g8tpNCs51vmtnn eF8DBRvq0+VIc9srNAu5K84L5l2gIHbI557AJzbWfdNBCdgT4BFa8YrxL4F7BXVzO+rx pJId+jymdD+2EGpOMX3ADA05xUxchNepPj2jx74rSg8egM/+gR00kKTODYP8TzBZfG3b +HYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=waYovNY7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si8435672plr.373.2019.04.24.10.37.23; Wed, 24 Apr 2019 10:37:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=waYovNY7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391772AbfDXRep (ORCPT + 99 others); Wed, 24 Apr 2019 13:34:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:33534 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391737AbfDXRen (ORCPT ); Wed, 24 Apr 2019 13:34:43 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 644462054F; Wed, 24 Apr 2019 17:34:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127281; bh=9YyNmXdL+K5Hjf73e7LqoccMK22hsKc0hgo/nNom030=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=waYovNY7fzQFl4X7Uqniiwgmc3yrpPZvgO6CmbzidOPaXI/xmFTF4RboJrMwWPwT+ 6DXDLD5/x4O2SEt9Tz5h8JFBW56+ZWGDNG9MnamM8CIuu71Y1hs2SRq3fAXUvUFqE/ vTKJ6yVbIHgv8sprqLvKoquyOYP/5FfmcAUHwgu4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Saeed Mahameed Subject: [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Date: Wed, 24 Apr 2019 19:09:31 +0200 Message-Id: <20190424170927.108915460@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170924.797924502@linuxfoundation.org> References: <20190424170924.797924502@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Saeed Mahameed [ Upstream commit df3a8344d404a810b4aadbf19b08c8232fbaa715 ] Flow is kfreed on mlx5_fpga_tls_del_flow but kept in the idr data structure, this is risky and can cause use-after-free, since the idr_remove is delayed until tls_send_teardown_cmd completion. Instead of delaying idr_remove, in this patch we do it on mlx5_fpga_tls_del_flow, before actually kfree(flow). Added synchronize_rcu before kfree(flow) Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines") Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 43 +++++++-------------- 1 file changed, 15 insertions(+), 28 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c @@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(stru return ret; } -static void mlx5_fpga_tls_release_swid(struct idr *idr, - spinlock_t *idr_spinlock, u32 swid) +static void *mlx5_fpga_tls_release_swid(struct idr *idr, + spinlock_t *idr_spinlock, u32 swid) { unsigned long flags; + void *ptr; spin_lock_irqsave(idr_spinlock, flags); - idr_remove(idr, swid); + ptr = idr_remove(idr, swid); spin_unlock_irqrestore(idr_spinlock, flags); + return ptr; } static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, @@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struc kfree(buf); } -struct mlx5_teardown_stream_context { - struct mlx5_fpga_tls_command_context cmd; - u32 swid; -}; - static void mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, struct mlx5_fpga_device *fdev, struct mlx5_fpga_tls_command_context *cmd, struct mlx5_fpga_dma_buf *resp) { - struct mlx5_teardown_stream_context *ctx = - container_of(cmd, struct mlx5_teardown_stream_context, cmd); - if (resp) { u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome); @@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_err(fdev, "Teardown stream failed with syndrome = %d", syndrome); - else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx)) - mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr, - &fdev->tls->tx_idr_spinlock, - ctx->swid); - else - mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr, - &fdev->tls->rx_idr_spinlock, - ctx->swid); } mlx5_fpga_tls_put_command_ctx(cmd); } @@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, void *flow, u32 swid, gfp_t flags) { - struct mlx5_teardown_stream_context *ctx; + struct mlx5_fpga_tls_command_context *ctx; struct mlx5_fpga_dma_buf *buf; void *cmd; @@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_ if (!ctx) return; - buf = &ctx->cmd.buf; + buf = &ctx->buf; cmd = (ctx + 1); MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM); MLX5_SET(tls_cmd, cmd, swid, swid); @@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_ buf->sg[0].data = cmd; buf->sg[0].size = MLX5_TLS_COMMAND_SIZE; - ctx->swid = swid; - mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd, + mlx5_fpga_tls_cmd_send(mdev->fpga, ctx, mlx5_fpga_tls_teardown_completion); } @@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_ struct mlx5_fpga_tls *tls = mdev->fpga->tls; void *flow; - rcu_read_lock(); if (direction_sx) - flow = idr_find(&tls->tx_idr, swid); + flow = mlx5_fpga_tls_release_swid(&tls->tx_idr, + &tls->tx_idr_spinlock, + swid); else - flow = idr_find(&tls->rx_idr, swid); - - rcu_read_unlock(); + flow = mlx5_fpga_tls_release_swid(&tls->rx_idr, + &tls->rx_idr_spinlock, + swid); if (!flow) { mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n", @@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_ return; } + synchronize_rcu(); /* before kfree(flow) */ mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags); }