[27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop()

Message ID	2a9916bda4eb2ec63fcbf8b01041723383c3f844.1620343860.git.metze@samba.org (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <linux-rdma-owner@kernel.org> From: Stefan Metzmacher <metze@samba.org> To: Bernard Metzler <bmt@zurich.ibm.com> Cc: linux-rdma@vger.kernel.org, Stefan Metzmacher <metze@samba.org> Subject: [PATCH 27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop() Date: Fri, 7 May 2021 01:36:33 +0200 Message-Id: <2a9916bda4eb2ec63fcbf8b01041723383c3f844.1620343860.git.metze@samba.org> In-Reply-To: <cover.1620343860.git.metze@samba.org> References: <cover.1620343860.git.metze@samba.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	rdma/siw: fix a lot of deadlocks and use after free bugs \| expand [00/31] rdma/siw: fix a lot of deadlocks and use after free bugs [01/31] rdma/siw: fix warning in siw_proc_send() [02/31] rdma/siw: call smp_mb() after mem->stag_valid = 0 in siw_invalidate_stag() too [03/31] rdma/siw: remove superfluous siw_cep_put() from siw_connect() error path [04/31] rdma/siw: let siw_accept() deferr RDMA_MODE until EVENT_ESTABLISHED [05/31] rdma/siw: make use of kernel_{bind,connect,listen}() [06/31] rdma/siw: make siw_cm_upcall() a noop without valid 'id' [07/31] rdma/siw: split out a __siw_cep_terminate_upcall() function [08/31] rdma/siw: use __siw_cep_terminate_upcall() for indirect SIW_CM_WORK_CLOSE_LLP [09/31] rdma/siw: use __siw_cep_terminate_upcall() for SIW_CM_WORK_PEER_CLOSE [10/31] rdma/siw: use __siw_cep_terminate_upcall() for SIW_CM_WORK_MPATIMEOUT [11/31] rdma/siw: introduce SIW_EPSTATE_ACCEPTING/REJECTING for rdma_accept/rdma_reject [12/31] rdma/siw: add some debugging of state and sk_state to the teardown process [13/31] rdma/siw: handle SIW_EPSTATE_CONNECTING in __siw_cep_terminate_upcall() [14/31] rdma/siw: let siw_connect() set AWAIT_MPAREP before siw_send_mpareqrep() [15/31] rdma/siw: create a temporary copy of private data [16/31] rdma/siw: use error and out logic at the end of siw_connect() [17/31] rdma/siw: start mpa timer before calling siw_send_mpareqrep() [18/31] rdma/siw: call the blocking kernel_bindconnect() just before siw_send_mpareqrep() [19/31] rdma/siw: split out a __siw_cep_close() function [20/31] rdma/siw: implement non-blocking connect. [21/31] rdma/siw: let siw_listen_address() call siw_cep_alloc() first [22/31] rdma/siw: let siw_listen_address() call siw_cep_set_inuse() early [23/31] rdma/siw: make use of __siw_cep_close() in siw_accept() [24/31] rdma/siw: do the full disassociation of cep and qp in siw_qp_llp_close() [25/31] rdma/siw: fix double siw_cep_put() in siw_cm_work_handler() [26/31] rdma/siw: make use of __siw_cep_close() in siw_cm_work_handler() [27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop() [28/31] rdma/siw: make use of __siw_cep_close() in siw_qp_cm_drop() [29/31] rdma/siw: make use of __siw_cep_close() in siw_reject() [30/31] rdma/siw: make use of __siw_cep_close() in siw_listen_address() [31/31] rdma/siw: make use of __siw_cep_close() in siw_drop_listeners()

Message ID

2a9916bda4eb2ec63fcbf8b01041723383c3f844.1620343860.git.metze@samba.org (mailing list archive)

State

Changes Requested

Headers

From: Stefan Metzmacher <metze@samba.org>
To: Bernard Metzler <bmt@zurich.ibm.com>
Cc: linux-rdma@vger.kernel.org, Stefan Metzmacher <metze@samba.org>
Subject: [PATCH 27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop()
Date: Fri,  7 May 2021 01:36:33 +0200
Message-Id: 
 <2a9916bda4eb2ec63fcbf8b01041723383c3f844.1620343860.git.metze@samba.org>
In-Reply-To: <cover.1620343860.git.metze@samba.org>
References: <cover.1620343860.git.metze@samba.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

rdma/siw: fix a lot of deadlocks and use after free bugs | expand

Commit Message

Stefan Metzmacher May 6, 2021, 11:36 p.m. UTC

cep->cm_id->rem_ref(cep->cm_id) is no reason to call
siw_cep_put(cep), we never call siw_cep_get(cep) when
calling id->add_ref(id).

But the cep->qp cleanup needs to drop both references!

Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Cc: Bernard Metzler <bmt@zurich.ibm.com>
Cc: linux-rdma@vger.kernel.org
---
 drivers/infiniband/sw/siw/siw_cm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Bernard Metzler May 11, 2021, 1:02 p.m. UTC | #1

-----"Stefan Metzmacher" <metze@samba.org> wrote: -----

>To: "Bernard Metzler" <bmt@zurich.ibm.com>
>From: "Stefan Metzmacher" <metze@samba.org>
>Date: 05/07/2021 01:40AM
>Cc: linux-rdma@vger.kernel.org, "Stefan Metzmacher" <metze@samba.org>
>Subject: [EXTERNAL] [PATCH 27/31] rdma/siw: fix the "close" logic in
>siw_qp_cm_drop()
>
>cep->cm_id->rem_ref(cep->cm_id) is no reason to call
>siw_cep_put(cep), we never call siw_cep_get(cep) when
>calling id->add_ref(id).
>
>But the cep->qp cleanup needs to drop both references!
>
>Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Cc: Bernard Metzler <bmt@zurich.ibm.com>
>Cc: linux-rdma@vger.kernel.org
>---
> drivers/infiniband/sw/siw/siw_cm.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/infiniband/sw/siw/siw_cm.c
>b/drivers/infiniband/sw/siw/siw_cm.c
>index 3dc80c21ac60..9f9750237e75 100644
>--- a/drivers/infiniband/sw/siw/siw_cm.c
>+++ b/drivers/infiniband/sw/siw/siw_cm.c
>@@ -546,7 +546,6 @@ void siw_qp_cm_drop(struct siw_qp *qp, int
>schedule)
> 		if (cep->cm_id) {
> 			cep->cm_id->rem_ref(cep->cm_id);
> 			cep->cm_id = NULL;
>-			siw_cep_put(cep);
> 		}
> 		cep->state = SIW_EPSTATE_CLOSED;
> 
>@@ -559,8 +558,11 @@ void siw_qp_cm_drop(struct siw_qp *qp, int
>schedule)
> 			cep->sock = NULL;
> 		}
> 		if (cep->qp) {
>+			BUG_ON(cep->qp->cep != cep);

Please no BUG() and friends

>+			cep->qp->cep = NULL;

That pointer should be handled by the qp code

>+			siw_qp_put(cep->qp);
> 			cep->qp = NULL;
>-			siw_qp_put(qp);
>+			siw_cep_put(cep);
> 		}
> out:
> 		siw_cep_set_free(cep);
>-- 
>2.25.1
>
>

diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c
index 3dc80c21ac60..9f9750237e75 100644
--- a/drivers/infiniband/sw/siw/siw_cm.c
+++ b/drivers/infiniband/sw/siw/siw_cm.c
@@ -546,7 +546,6 @@  void siw_qp_cm_drop(struct siw_qp *qp, int schedule)
 		if (cep->cm_id) {
 			cep->cm_id->rem_ref(cep->cm_id);
 			cep->cm_id = NULL;
-			siw_cep_put(cep);
 		}
 		cep->state = SIW_EPSTATE_CLOSED;
 
@@ -559,8 +558,11 @@  void siw_qp_cm_drop(struct siw_qp *qp, int schedule)
 			cep->sock = NULL;
 		}
 		if (cep->qp) {
+			BUG_ON(cep->qp->cep != cep);
+			cep->qp->cep = NULL;
+			siw_qp_put(cep->qp);
 			cep->qp = NULL;
-			siw_qp_put(qp);
+			siw_cep_put(cep);
 		}
 out:
 		siw_cep_set_free(cep);

[27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop()

Commit Message

Comments

Patch