From patchwork Thu Oct 15 12:01:02 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matan Barak <matanb@mellanox.com>
X-Patchwork-Id: 7405281
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 42895BEEA4
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 8BB7F20748
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 9BEC52073F
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 15 Oct 2015 12:03:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752995AbbJOMDh (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Thu, 15 Oct 2015 08:03:37 -0400
Received: from [193.47.165.129] ([193.47.165.129]:36324 "EHLO mellanox.co.il"
	rhost-flags-FAIL-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752990AbbJOMDg (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Thu, 15 Oct 2015 08:03:36 -0400
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
	matanb@mellanox.com)
	with ESMTPS (AES256-SHA encrypted); 15 Oct 2015 14:03:11 +0200
Received: from rsws33.mtr.labs.mlnx (dev-r-vrt-064.mtr.labs.mlnx
	[10.212.64.1])
	by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id t9FC3BDh020615;
	Thu, 15 Oct 2015 15:03:11 +0300
From: Matan Barak <matanb@mellanox.com>
To: Doug Ledford <dledford@redhat.com>
Cc: linux-rdma@vger.kernel.org, Or Gerlitz <ogerlitz@mellanox.com>,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	Matan Barak <matanb@mellanox.com>, Eran Ben Elisha <eranbe@mellanox.com>,
	Doron Tsur <doront@mellanox.com>
Subject: [PATCH rdma-cm] IB/core: Fix memory corruption in
	ib_cache_gid_set_default_gid
Date: Thu, 15 Oct 2015 15:01:02 +0300
Message-Id: <1444910463-5688-1-git-send-email-matanb@mellanox.com>
X-Mailer: git-send-email 2.1.0
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Doron Tsur <doront@mellanox.com>

When ib_cache_gid_set_default_gid is called from several threads,
updating the table could make find_gid fail, therefore a negative
index will be retruned and an invalid table entry will be used.
Locking find_gid as well fixes this problem.

Fixes: 03db3a2d81e6 ('IB/core: Add RoCE GID table management')
Signed-off-by: Doron Tsur <doront@mellanox.com>
Signed-off-by: Matan Barak <matanb@mellanox.com>
---

Hi Doug,

This patch fixes a bug in RoCE GID table implementation. When several
instances executes ib_cache_gid_set_default_gid, we could try to update
the same default GID (at the same index) simultaneously.
Therefore, find_gid will fail finding this default GID and we'll hit the
WARN_ON condition.

We hit this bug while testing this code under pressure of doing ifup/ifdown.

Thanks,
Matan

 drivers/infiniband/core/cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index 8f66c67..87471ef 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -508,12 +508,12 @@ void ib_cache_gid_set_default_gid(struct ib_device *ib_dev, u8 port,
 	memset(&gid_attr, 0, sizeof(gid_attr));
 	gid_attr.ndev = ndev;
 
+	mutex_lock(&table->lock);
 	ix = find_gid(table, NULL, NULL, true, GID_ATTR_FIND_MASK_DEFAULT);
 
 	/* Coudn't find default GID location */
 	WARN_ON(ix < 0);
 
-	mutex_lock(&table->lock);
 	if (!__ib_cache_gid_get(ib_dev, port, ix,
 				&current_gid, &current_gid_attr) &&
 	    mode == IB_CACHE_GID_DEFAULT_MODE_SET &&