Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3058331pxj;
        Mon, 17 May 2021 16:41:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJykTKzT1s2w9zzR7gBQaL51bbjz9hRhrKPBBc/EV+spMbAjDtgCUXLJT6o7G2t/6Lus0Oee
X-Received: by 2002:a17:906:9257:: with SMTP id c23mr2683553ejx.392.1621294892320;
        Mon, 17 May 2021 16:41:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621294892; cv=none;
        d=google.com; s=arc-20160816;
        b=CwLiliL3psd+sgAsdhNN1oCXt6xuwJ9PGLwzaKmqxL4pa4OzXFm8gpPyaZ+ouq5b//
         r2W3B0TEoulS8fpPiW11CslaLRI0yDkdOhLXQM0kWNS9B/PTsIBYAqeNdvcaM5ldFkm4
         SWUNz4IAI7hoE+Kzj7cpcvJOVbeEPS2VgYN3OWwGCmXnUswe5aKIbHPbfOGuWXdhkm2o
         7W9g2i9wVs5S/6Ib+QDlPrYGZvCPnkqeZp3Vcp6C6mEiezHW8kL9cJcBJy/klWwsmKRD
         kadVSsAJUaMtaKQFmkFGR7LDtPd21omvUMHB5MwA6OHowomhSqeDCccCU9D9WJbKE8I0
         +VKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=TxCW5hp3Z+OUIfQiDv4lAqsBtN5ANC/VpfEv/KXkEOA=;
        b=sMli4kEACUWo262o7fYVCULQqBpWtYdDafrXf9uE7uLzY9//ANKzaX1CkLnZRAeyfP
         qgFAFUqy4zS/Q6Fs29d8oEgfnXVl1anQI1s5+/IehRrMDJrQuTOhG0PL5LnUw3QeLYBD
         YSPt8NJ6QGl+ZVYDRbp6TW96UFMj3BHr8HwLwlUf4+0iS2eobW1YL3ulyh+X+j/1gbHM
         fpX8MtePHZzj3eK264etvE1/N1W7fyhQyr6PP7Fcm5B2Sp3F7e6/G6WTyrViGMtlC478
         52JdBsgyXBUIqqqHpBmkk5QdAgvuvBQD0NDbW51SnzuhZYVJyDJIAhkft5OKX8LgDnwT
         E+7Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rhbfRwGu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q12si13310763edn.6.2021.05.17.16.40.42;
        Mon, 17 May 2021 16:41:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rhbfRwGu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237430AbhEQOWg (ORCPT <rfc822;nirdebian@gmail.com> + 99 others);
        Mon, 17 May 2021 10:22:36 -0400
Received: from mail.kernel.org ([198.145.29.99]:49310 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238422AbhEQORh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 10:17:37 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8221661244;
        Mon, 17 May 2021 14:10:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621260612;
        bh=udhIfNy6AghWVRixPerSegAgZTYFpkeriRae/MKt/24=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rhbfRwGu5AGKu4zGobvmAAkRduaO2QRjkwmGOIyK6DRgAiTMwbsV18jR+OtKtsCHi
         o33ROlmzNchdskLWB3gHDb3Meixh8MvIE3lRxFOZzbA5J4/OMYdk0v+lvK/8+H35AZ
         UFGnQKCKyjHnM+r/qT1yyI4TsCPQGIg+3lqa2buk=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Chuck Lever <chuck.lever@oracle.com>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.12 160/363] SUNRPC: Move fault injection call sites
Date:   Mon, 17 May 2021 16:00:26 +0200
Message-Id: <20210517140308.016194612@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210517140302.508966430@linuxfoundation.org>
References: <20210517140302.508966430@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Chuck Lever <chuck.lever@oracle.com>

[ Upstream commit 7638e0bfaed1b653d3ca663e560e9ffb44bb1030 ]

I've hit some crashes that occur in the xprt_rdma_inject_disconnect
path. It appears that, for some provides, rdma_disconnect() can
take so long that the transport can disconnect and release its
hardware resources while rdma_disconnect() is still running,
resulting in a UAF in the provider.

The transport's fault injection method may depend on the stability
of transport data structures. That means it needs to be invoked
only from contexts that hold the transport write lock.

Fixes: 4a0682583988 ("SUNRPC: Transport fault injection")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/clnt.c               | 1 -
 net/sunrpc/xprt.c               | 6 ++++--
 net/sunrpc/xprtrdma/transport.c | 6 ++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 612f0a641f4c..c2a01125be1a 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1799,7 +1799,6 @@ call_allocate(struct rpc_task *task)
 
 	status = xprt->ops->buf_alloc(task);
 	trace_rpc_buf_alloc(task, status);
-	xprt_inject_disconnect(xprt);
 	if (status == 0)
 		return;
 	if (status != -ENOMEM) {
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 691ccf8049a4..d616b93751d8 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1483,7 +1483,10 @@ bool xprt_prepare_transmit(struct rpc_task *task)
 
 void xprt_end_transmit(struct rpc_task *task)
 {
-	xprt_release_write(task->tk_rqstp->rq_xprt, task);
+	struct rpc_xprt	*xprt = task->tk_rqstp->rq_xprt;
+
+	xprt_inject_disconnect(xprt);
+	xprt_release_write(xprt, task);
 }
 
 /**
@@ -1885,7 +1888,6 @@ void xprt_release(struct rpc_task *task)
 	spin_unlock(&xprt->transport_lock);
 	if (req->rq_buffer)
 		xprt->ops->buf_free(task);
-	xprt_inject_disconnect(xprt);
 	xdr_free_bvec(&req->rq_rcv_buf);
 	xdr_free_bvec(&req->rq_snd_buf);
 	if (req->rq_cred != NULL)
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 78d29d1bcc20..09953597d055 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c
@@ -262,8 +262,10 @@ xprt_rdma_connect_worker(struct work_struct *work)
  * xprt_rdma_inject_disconnect - inject a connection fault
  * @xprt: transport context
  *
- * If @xprt is connected, disconnect it to simulate spurious connection
- * loss.
+ * If @xprt is connected, disconnect it to simulate spurious
+ * connection loss. Caller must hold @xprt's send lock to
+ * ensure that data structures and hardware resources are
+ * stable during the rdma_disconnect() call.
  */
 static void
 xprt_rdma_inject_disconnect(struct rpc_xprt *xprt)
-- 
2.30.2