| Message ID | 20220731063621.298405-1-yanjun.zhu@linux.dev (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [PATCHv4,1/1] RDMA/rxe: Fix qp error handler | expand |
On Sun, Jul 31, 2022 at 02:36:21AM -0400, yanjun.zhu@linux.dev wrote: > From: Zhu Yanjun <yanjun.zhu@linux.dev> > > This problem is in this link: > news://nntp.lore.kernel.org:119/0000000000006ed46805dfaded18@google.com > > this is an error unwind problem. > > In the function rxe_create_qp, rxe_qp_from_init is called to initialize qp. > rxe_qp_init_req is called by rxe_qp_from_init. If an error occurs before > spin_lock_init in rxe_qp_init_req, several spin locks are not initialized. > Then rxe_create_qp finally calls rxe_cleanup(qp) to handle errors. > > In the end, rxe_qp_do_cleanup is called. In this function, rxe_cleanup_task > will call spin_lock_bh. But task->state_lock is not initialized. > > As such, an uninitialized spin lock is called by spin_lock_bh. > > rxe_create_qp { > ... > err = rxe_qp_from_init(rxe, qp, pd, init, uresp, ibqp->pd, udata); > if (err) > goto qp_init; > ... > return 0; > > qp_init: > rxe_cleanup(qp); > return err; > } > > rxe_qp_do_cleanup { > ... > rxe_cleanup_task { > ... > spin_lock_bh(&task->state_lock); > ... > } > } > > rxe_qp_from_init { > ... > rxe_qp_init_misc(rxe, qp, init); > > err = rxe_qp_init_req{ > ... > spin_lock_init(&qp->sq.sq_lock); > ... > rxe_init_task{ > ... > spin_lock_init(&task->state_lock); > ... > } > } > if (err) > goto err1; > > err = rxe_qp_init_resp { > ... > spin_lock_init(&qp->rq.producer_lock); > spin_lock_init(&qp->rq.consumer_lock); > ... > rxe_init_task { > ... > spin_lock_init(&task->state_lock); > ... > } > } > > if (err) > goto err2; > ... > return 0; > > err2: > ... > err1: > ... > return err; > } > > About 7 spin locks in qp creation needs to be initialized. Now these > spin locks are initialized in the function rxe_qp_init_misc. This > will avoid the error "initialize spin locks before use". > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com > Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> > --- > drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index b79e1b43454e..7a223583cf8b 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -174,6 +174,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, spin_lock_init(&qp->state_lock); + spin_lock_init(&qp->req.task.state_lock); + spin_lock_init(&qp->resp.task.state_lock); + spin_lock_init(&qp->comp.task.state_lock); + + spin_lock_init(&qp->sq.sq_lock); + spin_lock_init(&qp->rq.producer_lock); + spin_lock_init(&qp->rq.consumer_lock); + atomic_set(&qp->ssn, 0); atomic_set(&qp->skb_out, 0); } @@ -233,7 +241,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, qp->req.opcode = -1; qp->comp.opcode = -1; - spin_lock_init(&qp->sq.sq_lock); skb_queue_head_init(&qp->req_pkts); rxe_init_task(rxe, &qp->req.task, qp, @@ -284,9 +291,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, } } - spin_lock_init(&qp->rq.producer_lock); - spin_lock_init(&qp->rq.consumer_lock); - skb_queue_head_init(&qp->resp_pkts); rxe_init_task(rxe, &qp->resp.task, qp,