Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1663306pxb; Mon, 13 Sep 2021 02:43:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwApXaqjMCVCClStQASrFWsiEVPaIBRcQ5gMQMddBjjUMcFPRYbLC6FO4LpB2qdo68oLIzy X-Received: by 2002:a50:998c:: with SMTP id m12mr12582638edb.327.1631526221265; Mon, 13 Sep 2021 02:43:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631526221; cv=none; d=google.com; s=arc-20160816; b=fgYtXkblb+UPPOChLm5uPe2B1HOG8aLIUu54xCpr6jeXBL9+lvIMGKLpGWMNVE9jL1 uH9p2o0FJY3O+rYgK68W9BlNelyCzZmZ83pifc/Bhquro77tNthwQgJEQz0Q0R0r7J3J wMdh0pSx4FXUjp9WpltQ1T/Vl4pCU40XOAWkwiLEWvQqKXQuRo5Zti8hTDnAN4e9qShB 3CICj6pjU7pSGc17KoYic3t8Zt1DfeAe9HdaDbntGO/ljFgR6StnM4lB8M5DRAw4OLkj Siz+qJg7o4qsukW9i1rncgvovMF2tvjLPWF2RxlWZlJsthGRhb0MhG321jvXdvBlndlB OGtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=SOUoZaAzXDa3sSSZDk7/XUZzXDHM+CDJCtAzKM9CrHc=; b=ZUt7UCGCyp3Q/JJ/oWqJ8OeIBq67ftr/djEbxsy9ROalTOl8B9uRUzPeG0HpK/x2EJ c5EmgqFmk8qUalzdjyzcwADWyWnQKBrdrNLPu9WxEj3Sq4wlaye958jJGL7648G8/wlp jTS9dXZ1whEMZn4ECXrGenw3ZqwPUlOg5TjLMyuA47XeRwGjsaTSh0vx+lpRkFRRKfXF 2nOHFGXdAVEb2/9KT4X/qS9eH3GeQMGWLpNpSdUV0+NHmwvFF4QMSTKQqoysLy+f2MNz WkBtJRikezeUGmziDSg5Spz/zOBU5xWcgExcMsKKUvdQ7hwCLMyhq6Nx1vf2Cc7rkh3i inSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ucloud.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bh6si7580259ejb.691.2021.09.13.02.43.17; Mon, 13 Sep 2021 02:43:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ucloud.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238771AbhIMJmn (ORCPT + 99 others); Mon, 13 Sep 2021 05:42:43 -0400 Received: from mail-m2837.qiye.163.com ([103.74.28.37]:15612 "EHLO mail-m2837.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238597AbhIMJmm (ORCPT ); Mon, 13 Sep 2021 05:42:42 -0400 X-Greylist: delayed 447 seconds by postgrey-1.27 at vger.kernel.org; Mon, 13 Sep 2021 05:42:41 EDT Received: from localhost.localdomain (unknown [106.75.220.3]) by mail-m2837.qiye.163.com (Hmail) with ESMTPA id CA1216005A0; Mon, 13 Sep 2021 17:33:54 +0800 (CST) From: Tao Liu To: dledford@redhat.com, jgg@ziepe.ca, leon@kernel.org, haakon.bugge@oracle.com, shayd@nvidia.com, avihaih@nvidia.com Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, thomas.liu@ucloud.com Subject: [PATCH] RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure Date: Mon, 13 Sep 2021 17:33:44 +0800 Message-Id: <20210913093344.17230-1-thomas.liu@ucloud.cn> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZCBgUCR5ZQVlLVUtZV1 kWDxoPAgseWUFZKDYvK1lXWShZQUlCN1dZLVlBSVdZDwkaFQgSH1lBWRlMTk5WShpOGU9PTEgdGh 9DVRkRExYaEhckFA4PWVdZFhoPEhUdFFlBWU9LSFVKSktISkNVS1kG X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MhA6HCo6KDNNAQgPTDVDPiE6 UTAKCQJVSlVKTUhKTklOTUhOT0tPVTMWGhIXVQ8TFBYaCFUXEg47DhgXFA4fVRgVRVlXWRILWUFZ SktNVUxOVUlJS1VIWVdZCAFZQUhOTEs3Bg++ X-HM-Tid: 0a7bde818421841fkuqwca1216005a0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org rdma_cma_listen_on_all() just destroy listener which lead to an error, but not including those already added in listen_list. Then cm state fallbacks to RDMA_CM_ADDR_BOUND. When user destroys id, the listeners will not be destroyed, and process stucks. task:rping state:D stack: 0 pid:19605 ppid: 47036 flags:0x00000084 Call Trace: __schedule+0x29a/0x780 ? free_unref_page_commit+0x9b/0x110 schedule+0x3c/0xa0 schedule_timeout+0x215/0x2b0 ? __flush_work+0x19e/0x1e0 wait_for_completion+0x8d/0xf0 _destroy_id+0x144/0x210 [rdma_cm] ucma_close_id+0x2b/0x40 [rdma_ucm] __destroy_id+0x93/0x2c0 [rdma_ucm] ? __xa_erase+0x4a/0xa0 ucma_destroy_id+0x9a/0x120 [rdma_ucm] ucma_write+0xb8/0x130 [rdma_ucm] vfs_write+0xb4/0x250 ksys_write+0xb5/0xd0 ? syscall_trace_enter.isra.19+0x123/0x190 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: c80a0c52d85c ("RDMA/cma: Add missing error handling of listen_id") Signed-off-by: Tao Liu --- drivers/infiniband/core/cma.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index c40791b..d8cea33 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -1746,16 +1746,11 @@ static void cma_cancel_route(struct rdma_id_private *id_priv) } } -static void cma_cancel_listens(struct rdma_id_private *id_priv) +static void _cma_cancel_listens(struct rdma_id_private *id_priv) { struct rdma_id_private *dev_id_priv; - /* - * Remove from listen_any_list to prevent added devices from spawning - * additional listen requests. - */ - mutex_lock(&lock); - list_del(&id_priv->list); + lockdep_assert_held(&lock); while (!list_empty(&id_priv->listen_list)) { dev_id_priv = list_entry(id_priv->listen_list.next, @@ -1768,6 +1763,18 @@ static void cma_cancel_listens(struct rdma_id_private *id_priv) rdma_destroy_id(&dev_id_priv->id); mutex_lock(&lock); } +} + +static void cma_cancel_listens(struct rdma_id_private *id_priv) +{ + /* + * Remove from listen_any_list to prevent added devices from spawning + * additional listen requests. + */ + mutex_lock(&lock); + list_del(&id_priv->list); + + _cma_cancel_listens(id_priv); mutex_unlock(&lock); } @@ -2575,6 +2582,7 @@ static int cma_listen_on_all(struct rdma_id_private *id_priv) err_listen: list_del(&id_priv->list); + _cma_cancel_listens(id_priv); mutex_unlock(&lock); if (to_destroy) rdma_destroy_id(&to_destroy->id); -- 1.8.3.1