| Message ID | 20230404063848.3844292-1-yanjun.zhu@intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [PATCHv2,1/1] RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" | expand |
在 2023/4/4 14:38, Zhu Yanjun 写道: > From: Zhu Yanjun <yanjun.zhu@linux.dev> > > In the function rxe_create_qp(), rxe_qp_from_init() is called to > initialize qp, internally things like rxe_init_task are not setup until > rxe_qp_init_req(). > > If an error occures before this point then the unwind will call > rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() > which will oops when trying to access the uninitialized spinlock. > > If rxe_init_task is not executed, rxe_cleanup_task will not be called. > > Reported-by: syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=fd85757b74b3eb59f904138486f755f71e090df8 > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > Fixes: 2d4b21e0a291 ("IB/rxe: Prevent from completer to operate on non valid QP") > Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> > --- > V1 -> V2: Remove memset functions; Gently ping Zhu Yanjun > --- > drivers/infiniband/sw/rxe/rxe_qp.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c > index ab72db68b58f..a1746c4f5448 100644 > --- a/drivers/infiniband/sw/rxe/rxe_qp.c > +++ b/drivers/infiniband/sw/rxe/rxe_qp.c > @@ -773,15 +773,20 @@ static void rxe_qp_do_cleanup(struct work_struct *work) > > qp->valid = 0; > qp->qp_timeout_jiffies = 0; > - rxe_cleanup_task(&qp->resp.task); > + > + if (qp->resp.task.func) > + rxe_cleanup_task(&qp->resp.task); > > if (qp_type(qp) == IB_QPT_RC) { > del_timer_sync(&qp->retrans_timer); > del_timer_sync(&qp->rnr_nak_timer); > } > > - rxe_cleanup_task(&qp->req.task); > - rxe_cleanup_task(&qp->comp.task); > + if (qp->req.task.func) > + rxe_cleanup_task(&qp->req.task); > + > + if (qp->comp.task.func) > + rxe_cleanup_task(&qp->comp.task); > > /* flush out any receive wr's or pending requests */ > if (qp->req.task.func)
On Mon, Apr 10, 2023 at 11:08:15PM +0800, Zhu Yanjun wrote: > 在 2023/4/4 14:38, Zhu Yanjun 写道: > > From: Zhu Yanjun <yanjun.zhu@linux.dev> > > > > In the function rxe_create_qp(), rxe_qp_from_init() is called to > > initialize qp, internally things like rxe_init_task are not setup until > > rxe_qp_init_req(). > > > > If an error occures before this point then the unwind will call > > rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() > > which will oops when trying to access the uninitialized spinlock. > > > > If rxe_init_task is not executed, rxe_cleanup_task will not be called. > > > > Reported-by: syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com > > Link: https://syzkaller.appspot.com/bug?id=fd85757b74b3eb59f904138486f755f71e090df8 > > > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > > Fixes: 2d4b21e0a291 ("IB/rxe: Prevent from completer to operate on non valid QP") > > Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> > > --- > > V1 -> V2: Remove memset functions; > > Gently ping It doesn't apply to rdma-next. Thanks
在 2023/4/13 16:23, Leon Romanovsky 写道: > On Mon, Apr 10, 2023 at 11:08:15PM +0800, Zhu Yanjun wrote: >> 在 2023/4/4 14:38, Zhu Yanjun 写道: >>> From: Zhu Yanjun <yanjun.zhu@linux.dev> >>> >>> In the function rxe_create_qp(), rxe_qp_from_init() is called to >>> initialize qp, internally things like rxe_init_task are not setup until >>> rxe_qp_init_req(). >>> >>> If an error occures before this point then the unwind will call >>> rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() >>> which will oops when trying to access the uninitialized spinlock. >>> >>> If rxe_init_task is not executed, rxe_cleanup_task will not be called. >>> >>> Reported-by: syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com >>> Link: https://syzkaller.appspot.com/bug?id=fd85757b74b3eb59f904138486f755f71e090df8 >>> >>> Fixes: 8700e3e7c485 ("Soft RoCE driver") >>> Fixes: 2d4b21e0a291 ("IB/rxe: Prevent from completer to operate on non valid QP") >>> Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> >>> --- >>> V1 -> V2: Remove memset functions; >> Gently ping > It doesn't apply to rdma-next. The latest commit is based on rdma-next: https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git Branch: remotes/origin/wip/leon-for-next Thanks, Zhu Yanjun > > Thanks
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index ab72db68b58f..a1746c4f5448 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -773,15 +773,20 @@ static void rxe_qp_do_cleanup(struct work_struct *work) qp->valid = 0; qp->qp_timeout_jiffies = 0; - rxe_cleanup_task(&qp->resp.task); + + if (qp->resp.task.func) + rxe_cleanup_task(&qp->resp.task); if (qp_type(qp) == IB_QPT_RC) { del_timer_sync(&qp->retrans_timer); del_timer_sync(&qp->rnr_nak_timer); } - rxe_cleanup_task(&qp->req.task); - rxe_cleanup_task(&qp->comp.task); + if (qp->req.task.func) + rxe_cleanup_task(&qp->req.task); + + if (qp->comp.task.func) + rxe_cleanup_task(&qp->comp.task); /* flush out any receive wr's or pending requests */ if (qp->req.task.func)