From patchwork Fri Nov 10 22:29:18 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
X-Patchwork-Id: 10053891
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5F40360631 for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 10 Nov 2017 22:29:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 530A72B4B8
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 10 Nov 2017 22:29:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 47E692B4BF; Fri, 10 Nov 2017 22:29:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDEEB2B4B8
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 10 Nov 2017 22:29:20 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754362AbdKJW3T (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Fri, 10 Nov 2017 17:29:19 -0500
Received: from mga14.intel.com ([192.55.52.115]:64199 "EHLO mga14.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754140AbdKJW3T (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Fri, 10 Nov 2017 17:29:19 -0500
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
	by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	10 Nov 2017 14:29:19 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,376,1505804400"; d="scan'208";a="174932485"
Received: from sedona.ch.intel.com ([143.182.228.65])
	by fmsmga006.fm.intel.com with ESMTP; 10 Nov 2017 14:29:19 -0800
Received: from phlsvsles11.ph.intel.com (phlsvsles11.ph.intel.com
	[10.228.195.43])
	by sedona.ch.intel.com (8.13.6/8.14.3/Standard MailSET/Hub) with
	ESMTP id vAAMTIww001528
	for <linux-rdma@vger.kernel.org>; Fri, 10 Nov 2017 15:29:18 -0700
Received: from phlsvslse11.ph.intel.com (localhost [127.0.0.1])
	by phlsvsles11.ph.intel.com with ESMTP id vAAMTIbF010490
	for <linux-rdma@vger.kernel.org>; Fri, 10 Nov 2017 17:29:18 -0500
Subject: [PATCH 3/3] ibacm: Fix a retry loop calculation race condition
To: linux-rdma@vger.kernel.org
From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
Date: Fri, 10 Nov 2017 17:29:18 -0500
Message-ID: <20171110222907.10387.1185.stgit@phlsvslse11.ph.intel.com>
In-Reply-To: <20171110222658.10387.16845.stgit@phlsvslse11.ph.intel.com>
References: <20171110222658.10387.16845.stgit@phlsvslse11.ph.intel.com>
User-Agent: StGit/0.16
MIME-Version: 1.0
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Michael J. Ruhl <michael.j.ruhl@intel.com>

The retry loop calculation uses a conversion to int of an unsigned
64 bit number (next_expire) minus the current time to decide if
event_wait() should be called.  This calculation works correctly as
long as the next_expire value is not the default value (-1).

If the next_expire is the default value, periodically this subtraction
can result in a very large postive timeout value (days rather than
milliseconds).

For example:
next_expire  = 0xFFFFFFFFFFFFFFFF  (-1)
current_ms = 0x15f7db52146  (today's ms since 1970)

max_delay_ms = (int) next_expire - future_ms

future_ms  = 0x15f80000000  = max_delay_ms 2147483647
future_ms  = 0x16080000000  = max_delay_ms 2147483647

Converting max_delay_ms to days:
2147483647 / 1000 / 60 / 60 / 24 == 24 days

0xxx180000000 - 0xxx080000000 = 4294967296

every 48 days, this issue repeats

This calculation can occur if a wait_cnt is incremented and a message
expiration is handled so that next_expire is not updated.  If wait_cnt
is incremented before the wait calculation is done (the race condition),
event_wait() can be called with the potentially very large value.

If next_expire is not updated, do not do the wait calculation and
avoid the race condition.

Reported-by: Morys Grzegorz <grzegorz.morys@intel.com>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
---
 ibacm/prov/acmp/src/acmp.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/ibacm/prov/acmp/src/acmp.c b/ibacm/prov/acmp/src/acmp.c
index d707b8e..884fc48 100644
--- a/ibacm/prov/acmp/src/acmp.c
+++ b/ibacm/prov/acmp/src/acmp.c
@@ -1579,10 +1579,12 @@ static void *acmp_retry_handler(void *context)
 		pthread_mutex_unlock(&acmp_dev_lock);
 
 		acmp_process_timeouts();
-		wait = (int) (next_expire - time_stamp_ms());
-		if (wait > 0 && atomic_get(&wait_cnt)) {
-			pthread_testcancel();
-			event_wait(&timeout_event, wait);
+		if (next_expire != -1) {
+			wait = (int) (next_expire - time_stamp_ms());
+			if (wait > 0 && atomic_get(&wait_cnt)) {
+				pthread_testcancel();
+				event_wait(&timeout_event, wait);
+			}
 		}
 	}