Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp496833pxu; Sun, 25 Oct 2020 07:35:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzW03BR2xVpHqMNODfUs9mlTTAX4kPMcGRJzjzKr/tQVFC0QMoB1V7wgvHVKoIFZKswQcC9 X-Received: by 2002:a05:6402:1506:: with SMTP id f6mr11943767edw.324.1603636502521; Sun, 25 Oct 2020 07:35:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603636502; cv=none; d=google.com; s=arc-20160816; b=PMWKefKSjEUYUgZ2UlpBZcqunjyInPsV9Cfv9it/i2HWjTLH/ZvBYyRq3TUuKmJOKg AEntyYxgcuobTmOSyRURf52h1iZfp2obYfVPKkwX3hvysKdEM0Cez6iDBsNZLd/TrCYb rzxYsuoFOUr1Czd02hfYMDO21H/HF1qC31IMRNcuL50D8iURuU+VVlyy6oVUNaA4oIoq iGzzQCgBbUsWKvwNSoXx0Crb5UwMnkZ+rDeEkBSvtftAyDzT08BGw5QtkVtHxl1Kj0bZ p/10gtnOe1wWFCVYXr5RlTkqvMuIOVtNmxRynJg7Ph69qWNh+TemdZ6XNBv6t4twfpBb 9xyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=1KiygqGWwb0F23sQdKfIGxFeP8lZb1Vly0G9w/101ss=; b=TvzG2B8D0/RzD5TspeD890ikNqkgSf66VrnF8Ylo9n1M8mlHzW/lI+w0xXicsuOIJa ybJmOXSpgrityUJ0stTDWAeXJBr0oRzNCS9xuKxStLwZqr9HNj9t3ASujUKAXixH8vU5 l0qBt4wJxFnBoJZ86nx+VYI6n5v/55MSKE69aPIiImZX3zdOPiXOTgr3SuXoPrMCKbWm Baq644n80NmxCoDdFQERDOqJJbK565GAxnpufMUNH/fopIkUiHUEvwGccpVLnYXPSH+c i7XlKxdezTDAkI4ClSaVRDGLnszUdT8JRfMq3k1AUxhioZ2ECStug3aVCzkyEduHtSKz EAMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b="y/DXhF2F"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w10si5221296eja.274.2020.10.25.07.34.40; Sun, 25 Oct 2020 07:35:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b="y/DXhF2F"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1415517AbgJYLwM (ORCPT + 99 others); Sun, 25 Oct 2020 07:52:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1415513AbgJYLwL (ORCPT ); Sun, 25 Oct 2020 07:52:11 -0400 Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BEF1C0613CE for ; Sun, 25 Oct 2020 04:51:55 -0700 (PDT) Received: by mail-pl1-x642.google.com with SMTP id b19so3337612pld.0 for ; Sun, 25 Oct 2020 04:51:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=1KiygqGWwb0F23sQdKfIGxFeP8lZb1Vly0G9w/101ss=; b=y/DXhF2Fqdumgt3Pn9ix0eB8zltPQXKFobDlC+s+Gy3EYJnN6bNZ6GiSh1q49Ryyts 3kbXB3zqV2t1RB+apb5MB21aaO0Y3bJ5wzz0KtxT3HEh+wOiaBnsES6jQ35l3jpnPdZU EAtF1m+9Kx9VhqcjY4O9cE3Fi1fC/JyYE44EzlkNKBiHar5gRRglKGHICWmboBXDaREa n83pjMWieUbnY9M3aH0deeluCrnfdMC/gwfQxyXZtN0U5uKigD7/phsu+I3iM6eywBil jm4y43ZGTY8TzshFJNrlzINHO6ITTn21atoxGf66wjlMGwkHgazdw1zUTW41ulLfDOkl mzjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=1KiygqGWwb0F23sQdKfIGxFeP8lZb1Vly0G9w/101ss=; b=cgUq2EChMafvgCEt6qcY9ta2ljM1YPcMd2J+9aGeD5Jrn2PvjrWK11dIrjVxUiPfuU faZYpRoMKdy7X0XsgWLOAFJ9c3EnhXKo7JA07oXnU5+xfqa5dajgToVYkfO3DSa79h/5 HVRHRL92A+x2b37/f5CIzVpyk5Bdx4fa65SaaRk/94PLXvBQLKq+KKde9SxusHRtcdeP P3D56pvfWMqg7+YkIzz4Y3d+nbKRprTktFPG/fHMXJXshrEWjAHn0Ml4S9OqXgLs+JQf DvOkm4ABgyf6vGsFroPK+O+ytwlQM2nOAo0DLyoSZ4I/y10BMUz0QJkrSTBGmThnznso XkjA== X-Gm-Message-State: AOAM532LF+7wvnehmTzIw5kVJnv/qn3+ye7Af1JxJaG/rq8Pqq7sSJqI pVw6/fitxWyqxPYtF5JhSjnBWUgheSULJA== X-Received: by 2002:a17:90a:17a8:: with SMTP id q37mr11244997pja.44.1603626714849; Sun, 25 Oct 2020 04:51:54 -0700 (PDT) Received: from libai.bytedance.net ([61.120.150.71]) by smtp.gmail.com with ESMTPSA id q23sm8825394pfg.192.2020.10.25.04.51.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 25 Oct 2020 04:51:54 -0700 (PDT) From: zhenwei pi To: kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, lengchao@huawei.com, pizhenwei@bytedance.com Subject: [PATCH v3] nvme-rdma: handle nvme completion data length Date: Sun, 25 Oct 2020 19:51:24 +0800 Message-Id: <20201025115124.1430678-1-pizhenwei@bytedance.com> X-Mailer: git-send-email 2.11.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hit a kernel warning: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0xd9/0xe0 Call Trace: nvme_rdma_recv_done+0xf3/0x280 [nvme_rdma] __ib_process_cq+0x76/0x150 [ib_core] ... The reason is that a zero bytes message received from target, and the host side continues to process without length checking, then the previous CQE is processed twice. Do sanity check on received data length, try to recovery for corrupted CQE case. Because zero bytes message in not defined in spec, using zero bytes message to detect dead connections on transport layer is not standard, currently still treat it as illegal. Thanks to Chao Leng & Sagi for suggestions. Signed-off-by: zhenwei pi --- drivers/nvme/host/rdma.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index aad829a2b50d..40a0a3b6476c 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -1768,6 +1768,14 @@ static void nvme_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc) return; } + /* sanity checking for received data length */ + if (unlikely(wc->byte_len < len)) { + dev_err(queue->ctrl->ctrl.device, + "Unexpected nvme completion length(%d)\n", wc->byte_len); + nvme_rdma_error_recovery(queue->ctrl); + return; + } + ib_dma_sync_single_for_cpu(ibdev, qe->dma, len, DMA_FROM_DEVICE); /* * AEN requests are special as they don't time out and can -- 2.11.0