Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp866165yba; Wed, 24 Apr 2019 10:52:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqztdvCxM2Qzd/mujT8MoCnCVoZgnxaxcGDzdn5YXgybGfnXAMO3+d/Yjuv1UIBsBbj3bW2J X-Received: by 2002:a63:d512:: with SMTP id c18mr18589902pgg.252.1556128365617; Wed, 24 Apr 2019 10:52:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556128365; cv=none; d=google.com; s=arc-20160816; b=aouEZ61KvO/4MzahgEmnPKjO/dpE3x055pbZd/hIi0cur6SFvkTx0DnCsCRVfUCctz R6F3uyjyfrzmK3GT0ojmzVI1pQRW2FUb0rXFK5OHakbN9RfWiXZ4+Dwo1/eLzlg5s4op BTJ7o9tmraBsnGGE5+cmXzWlYXv0ouQN2ikGRNqfkGarqL+Y8a2v/H/GY3VE/ZoCbh8E 2nX+ubuJrpFSRmQZ7uBYtB0jOpjsM6U1SAmcrxFRkObsCLA6haMACgqU3aUkBZc+a03s FBXf1UsPHaltzysCzTGBGieYVl3Kuwb6dIj27J18BXIAT7v1E+kM7QidiPik/EMR9flk Yctw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Hx7rHCy9icZW4i02osth0rpPtYbxPKMtBU1+MZcEjbs=; b=V/XmVbq5tkMREgVIEc2FrK+vypci6hXy6IdYn/Ct+1p7To83nIOJKdjeETKyoUq/8i /gmtlg8TQFb+CVysk9sHvNLHA27Y38NgBLFLTUWcNEJpRV2KQwUa5lIYfAn3IUh+Qmdn FcZsmbhXl7J9w6i+/1HDDGTisZgVDaQ+EaZ6ARmO5c5XD1pcZ+rlRP+iPGDiaMcGw1MW YQgJ1O9MbZBvi9NdTXfv5seiXnbxmFrvgWB1EcXvsXWUYKlF9KEbDWSnSaND7ceMEMz6 sfL4TmeOusYh/cxilCdGQ+t/8ePw8P0OzHIMRz/nAm20wYFPPdZhugSvhIukQn51RwCg XkQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MoJufxRp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k76si20325191pfj.199.2019.04.24.10.52.30; Wed, 24 Apr 2019 10:52:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MoJufxRp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390872AbfDXR3t (ORCPT + 99 others); Wed, 24 Apr 2019 13:29:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:56046 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390853AbfDXR3p (ORCPT ); Wed, 24 Apr 2019 13:29:45 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5A2D321904; Wed, 24 Apr 2019 17:29:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126983; bh=9YyNmXdL+K5Hjf73e7LqoccMK22hsKc0hgo/nNom030=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MoJufxRpYftoK67xiy2I/RE6OBE7Shm9NN7aDJJKMSEJRB9ACKjDluJ/Y7iay6LdO qG4TvHQ2j9qY8i9cIUouDqJJ+TsuqPH0qVodhRMsY5GnklTzoCWrYwp1C7kTTK+mHt jJbQhsoPUePvck7Fk4luGRVv2sEHsBrMZbQEzXCc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Saeed Mahameed Subject: [PATCH 4.19 18/96] net/mlx5: FPGA, tls, idr remove on flow delete Date: Wed, 24 Apr 2019 19:09:23 +0200 Message-Id: <20190424170921.023712698@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170919.829037226@linuxfoundation.org> References: <20190424170919.829037226@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Saeed Mahameed [ Upstream commit df3a8344d404a810b4aadbf19b08c8232fbaa715 ] Flow is kfreed on mlx5_fpga_tls_del_flow but kept in the idr data structure, this is risky and can cause use-after-free, since the idr_remove is delayed until tls_send_teardown_cmd completion. Instead of delaying idr_remove, in this patch we do it on mlx5_fpga_tls_del_flow, before actually kfree(flow). Added synchronize_rcu before kfree(flow) Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines") Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 43 +++++++-------------- 1 file changed, 15 insertions(+), 28 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c @@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(stru return ret; } -static void mlx5_fpga_tls_release_swid(struct idr *idr, - spinlock_t *idr_spinlock, u32 swid) +static void *mlx5_fpga_tls_release_swid(struct idr *idr, + spinlock_t *idr_spinlock, u32 swid) { unsigned long flags; + void *ptr; spin_lock_irqsave(idr_spinlock, flags); - idr_remove(idr, swid); + ptr = idr_remove(idr, swid); spin_unlock_irqrestore(idr_spinlock, flags); + return ptr; } static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, @@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struc kfree(buf); } -struct mlx5_teardown_stream_context { - struct mlx5_fpga_tls_command_context cmd; - u32 swid; -}; - static void mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, struct mlx5_fpga_device *fdev, struct mlx5_fpga_tls_command_context *cmd, struct mlx5_fpga_dma_buf *resp) { - struct mlx5_teardown_stream_context *ctx = - container_of(cmd, struct mlx5_teardown_stream_context, cmd); - if (resp) { u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome); @@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_err(fdev, "Teardown stream failed with syndrome = %d", syndrome); - else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx)) - mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr, - &fdev->tls->tx_idr_spinlock, - ctx->swid); - else - mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr, - &fdev->tls->rx_idr_spinlock, - ctx->swid); } mlx5_fpga_tls_put_command_ctx(cmd); } @@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, void *flow, u32 swid, gfp_t flags) { - struct mlx5_teardown_stream_context *ctx; + struct mlx5_fpga_tls_command_context *ctx; struct mlx5_fpga_dma_buf *buf; void *cmd; @@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_ if (!ctx) return; - buf = &ctx->cmd.buf; + buf = &ctx->buf; cmd = (ctx + 1); MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM); MLX5_SET(tls_cmd, cmd, swid, swid); @@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_ buf->sg[0].data = cmd; buf->sg[0].size = MLX5_TLS_COMMAND_SIZE; - ctx->swid = swid; - mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd, + mlx5_fpga_tls_cmd_send(mdev->fpga, ctx, mlx5_fpga_tls_teardown_completion); } @@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_ struct mlx5_fpga_tls *tls = mdev->fpga->tls; void *flow; - rcu_read_lock(); if (direction_sx) - flow = idr_find(&tls->tx_idr, swid); + flow = mlx5_fpga_tls_release_swid(&tls->tx_idr, + &tls->tx_idr_spinlock, + swid); else - flow = idr_find(&tls->rx_idr, swid); - - rcu_read_unlock(); + flow = mlx5_fpga_tls_release_swid(&tls->rx_idr, + &tls->rx_idr_spinlock, + swid); if (!flow) { mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n", @@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_ return; } + synchronize_rcu(); /* before kfree(flow) */ mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags); }