Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp385233rwe; Thu, 1 Sep 2022 00:44:38 -0700 (PDT) X-Google-Smtp-Source: AA6agR59YV3kogd8++uOu+6/x+o0ZJTHYgMmnSjTXV4pPvWcX9H06m5mU8W/TLuFvg0Jcpb9scdB X-Received: by 2002:a17:90a:988:b0:1f2:3dff:f1dd with SMTP id 8-20020a17090a098800b001f23dfff1ddmr7533715pjo.150.1662018278701; Thu, 01 Sep 2022 00:44:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662018278; cv=none; d=google.com; s=arc-20160816; b=LcCFqHy1IzWgqehoaI+gkm/s12rDtlTH3cTfB6VysYmV/VTOrgCCl35y6rmuIr5HbV nb4lhqudjI4rTKmj1DMsv2Wr90as0Zb7vWTHV1ZdXl4Rwx1lbVjI1NJJE/LCugV2qDq2 NY5jp4srjEvmcy3APTOakEEutv+EzEofVa432q6pOnCoiHp+utef8rrklugarOjAecVK AWhdqluVV5XUKO3WF/Y79sqEm0HBHbDztBmFsi72VY+m2wOggm3eSZieI7jL3FeFMzyH Pl9FFqW9cNAJZ3UyskMhZihrh6VxUv+PN/3fQuc62tjF0yf4kKGARL6F1aLJmiH0MVWW cP3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:reply-to:message-id:subject:cc:to:from:date; bh=7gOzSai5DxPN1sxUipS4KiXXa5odYaBH1WqrJZ3tgQ8=; b=nZHtYinctQHpFR0aE/BYuUr2fA+SK0kOZo5fQhqIvgi7LnMr1mAkRFg18lj0e6XIpU ZhX/posN9tKmmkC/iEd3DbHy8rFP4EtvAMXzlJEDvEtFxcNIFG8kgxf3EkkNWO4ykN/M w1PGLsYHqHF0/U6n6LpwL5vPH7yuXcpMMVRc3+2eyS6VqjwtfWblYDm4li9jXyfs1t3+ lVe7mO9Y3TKIuccqTqhnEOKBQOTS7XsJGzqVm+chBlXqSBbpV9ReFzpc32ja6ygAR1VB MFYUONxsuuupLi/+QIicqYXtJ252Td6wjRO9CM/mQc3kNeUvXM5F4wa30hu9xo8DQ+zm hLhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020a63ed06000000b0041c11657f8csi7004358pgi.492.2022.09.01.00.44.28; Thu, 01 Sep 2022 00:44:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232007AbiIAGwJ (ORCPT + 99 others); Thu, 1 Sep 2022 02:52:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232685AbiIAGwH (ORCPT ); Thu, 1 Sep 2022 02:52:07 -0400 Received: from out30-43.freemail.mail.aliyun.com (out30-43.freemail.mail.aliyun.com [115.124.30.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 902A71157C0; Wed, 31 Aug 2022 23:52:05 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R131e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045176;MF=tonylu@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0VNxiw1q_1662015119; Received: from localhost(mailfrom:tonylu@linux.alibaba.com fp:SMTPD_---0VNxiw1q_1662015119) by smtp.aliyun-inc.com; Thu, 01 Sep 2022 14:52:00 +0800 Date: Thu, 1 Sep 2022 14:51:59 +0800 From: Tony Lu To: liuyacan@corp.netease.com Cc: davem@davemloft.net, edumazet@google.com, kgraul@linux.ibm.com, kuba@kernel.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, netdev@vger.kernel.org, ubraun@linux.vnet.ibm.com, pabeni@redhat.com, wenjia@linux.ibm.com, wintera@linux.ibm.com Subject: Re: [PATCH net v4] net/smc: Fix possible access to freed memory in link clear Message-ID: Reply-To: Tony Lu References: <20220831155303.1758868-1-liuyacan@corp.netease.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220831155303.1758868-1-liuyacan@corp.netease.com> X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 31, 2022 at 11:53:03PM +0800, liuyacan@corp.netease.com wrote: > From: Yacan Liu > > After modifying the QP to the Error state, all RX WR would be completed > with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not > wait for it is done, but destroy the QP and free the link group directly. > So there is a risk that accessing the freed memory in tasklet context. > > Here is a crash example: > > BUG: unable to handle page fault for address: ffffffff8f220860 > #PF: supervisor write access in kernel mode > #PF: error_code(0x0002) - not-present page > PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 > Oops: 0002 [#1] SMP PTI > CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 > Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 > RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 > Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 > RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 > RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 > RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 > RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b > R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 > R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 > FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > > _raw_spin_lock_irqsave+0x30/0x40 > mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] > smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] > tasklet_action_common.isra.21+0x66/0x100 > __do_softirq+0xd5/0x29c > asm_call_irq_on_stack+0x12/0x20 > > do_softirq_own_stack+0x37/0x40 > irq_exit_rcu+0x9d/0xa0 > sysvec_call_function_single+0x34/0x80 > asm_sysvec_call_function_single+0x12/0x20 > > Fixes: bd4ad57718cc ("smc: initialize IB transport incl. PD, MR, QP, CQ, event, WR") > Signed-off-by: Yacan Liu > Thanks for this fixes. I will test it in our environment. Cheers, Tony Lu