Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4786445ybf; Wed, 4 Mar 2020 10:37:37 -0800 (PST) X-Google-Smtp-Source: ADFU+vv5UtOkx8Ik9D6RY94XBizqeBGHZWdOb1i59KEFjizkvM07kxlncZgfl3EGEXcsrrYWkDMr X-Received: by 2002:a9d:5d09:: with SMTP id b9mr3401278oti.207.1583347057140; Wed, 04 Mar 2020 10:37:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583347057; cv=none; d=google.com; s=arc-20160816; b=bEpCxUHAEtWi/JK3alFzLNAo85lH8jWtqcn+XmwY2+kwzZEOxmXLHKUBn0mafYr2hv hfGar0j4Kbka8IMFVoquFdtn4weJkGyQQQZutvwjGx7xmvP2HbvasfqwZ2vhIZipjwdb qmyUfMvBfRQ31pm0wBWXEASQ+AoGzF5LTmMN6nn2okfVvoK52YzP3SvCNFifm/Lr+mOw mZB/XUqo5J6ClQfw66vPXA2+02iFKDp27YuPwcci6oNPRWpXKHp0jUKteGIx+J790SAN 7mxC/6mBEAYvB4ieRd6oBdAnE1jy/A2fMG01Mt5CU7/xfh2+Km/a3ketgK3mjlGId5UV DmaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ReviJMD+t2nTkEcKpffaEWec1dHi6/oSh/k3dSk9bzo=; b=LhQW2h7p9sWOid/yc2TT5mPtubiVNxMXVCgRLq9uoFQgncRHYXkrQGLOftjlc1Pdy7 9y5gkFAan8Cho2sOt/jB4d0rPJXlNXqQ7zmtj8sXxZwwZf+itCD5j11HbEgwpezp5MWT luDE/uIDrpRF4okP1EVEStbBpK5vyGC+vY6ham2Tpg+WUtgHvbK8sINsoXkdLGffYBkg GIU/jII93OQ7seHcPB6IlEgWvDxsGTs7vuJHx4Cyx/vj7DAlecrHaydJL+XEuYSRYxmF bISTtcycYsoe12soF4M5yMVmQjx/xZU8rqyIRIC+QTSOH2yBibFSVx1tt7hge/Zs5iGd W4uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b="ou8iH/Cm"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si1831390otf.102.2020.03.04.10.37.25; Wed, 04 Mar 2020 10:37:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b="ou8iH/Cm"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388042AbgCDSfx (ORCPT + 99 others); Wed, 4 Mar 2020 13:35:53 -0500 Received: from mail-qv1-f68.google.com ([209.85.219.68]:45429 "EHLO mail-qv1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725795AbgCDSfx (ORCPT ); Wed, 4 Mar 2020 13:35:53 -0500 Received: by mail-qv1-f68.google.com with SMTP id r8so1233615qvs.12 for ; Wed, 04 Mar 2020 10:35:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ReviJMD+t2nTkEcKpffaEWec1dHi6/oSh/k3dSk9bzo=; b=ou8iH/CmjpYntl/F9Fkt9NpoWHT1vt58MYkHsWR2qot/Pb08OC4XP2hmLo0dXZT2wW 3vtMulFdr0ZguIe8awZGOexU+uB6E69wj0GsFTUGVpbTwTphtVql/9oW23CkTkAirAey NNq968SS9AjV7+5SpMKlo5OA2yWyHjtkQXT7UjoUH+hNGVLjZ8kC5xTXry37thc3aoJw 8IWze8/4UXaCe7jdPndqaR8+cOYAEpS80tRToFPebLi52O7s8Sz2NdllDKQTSB37UiP3 +mF5JSzg5Px2b86YJ+lGK/T25BZLkHNCrTiDQYN1wzdfmxqVW3qPC7cRmr9Bx/tdNpE6 OPmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ReviJMD+t2nTkEcKpffaEWec1dHi6/oSh/k3dSk9bzo=; b=iv8KOcLaPAXzaQHivLdd+WCd26Se44z+KiQgF7HvkanF44svswzagvHucUiAPWzQDH OxF2TBMzTMNIv/GsiAfPRVnP4d+7Dy52Kkf1stJ9qZZjpXAQUJQqgZNl32cAZXBhdVWy riZWbUBa41ALYs10vKdXRtLdQk34H0yAGFQ1bGhAEGLT/RBzXGgO57+dEaWNOTFcYb4G f6FgNizYGDP0vAINUkjWykE1WGJAwzYSYuF5Qn6373We2H+l0s4SXZaAb6YisO5HMB1M pDcVMJwEJ6z/WhrIW9HHqlGQyMXcn03HrCXWVKzlqDMyLj7C981sK8C/VmZKz1uMpg4w 16+Q== X-Gm-Message-State: ANhLgQ2XseNvrFI+bdHWYF2aTclmVt9W1C5YFIIL0PrZwrusqq85cMCE fhsMGwYIfwIgi7XStzLk3eY0IQ== X-Received: by 2002:a0c:8402:: with SMTP id l2mr3119381qva.227.1583346952100; Wed, 04 Mar 2020 10:35:52 -0800 (PST) Received: from ziepe.ca (hlfxns017vw-142-68-57-212.dhcp-dynamic.fibreop.ns.bellaliant.net. [142.68.57.212]) by smtp.gmail.com with ESMTPSA id l2sm7743975qtq.16.2020.03.04.10.35.51 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 04 Mar 2020 10:35:51 -0800 (PST) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1j9Ys3-0003R9-2h; Wed, 04 Mar 2020 14:35:51 -0400 Date: Wed, 4 Mar 2020 14:35:51 -0400 From: Jason Gunthorpe To: Bernard Metzler Cc: dledford@redhat.com, kamalheib1@gmail.com, krishna2@chelsio.com, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH for-rc] RDMA/iwcm: Fix iwcm work deallocation Message-ID: <20200304183551.GA7859@ziepe.ca> References: <20200302181614.17042-1-bmt@zurich.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200302181614.17042-1-bmt@zurich.ibm.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 02, 2020 at 07:16:14PM +0100, Bernard Metzler wrote: > The dealloc_work_entries() function must update the > work_free_list pointer while freeing its entries, since > potentially called again on same list. A second iteration > of the work list caused system crash. This happens, if > work allocation fails during cma_iw_listen() and > free_cm_id() tries to free the list again during cleanup. > > Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com > Signed-off-by: Bernard Metzler > --- > drivers/infiniband/core/iwcm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Applied to for-rc, please include Fixes lines in patches like this, I added one diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c > index ade71823370f..da8adadf4755 100644 > --- a/drivers/infiniband/core/iwcm.c > +++ b/drivers/infiniband/core/iwcm.c > @@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv) > { > struct list_head *e, *tmp; > > - list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) > + list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) { > + list_del(e); > kfree(list_entry(e, struct iwcm_work, free_list)); It would be nice if someone were to fix the use of the list macros in this file to use the _entry_ versions Jason