From patchwork Thu Dec 14 00:26:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bryan Tan X-Patchwork-Id: 10111271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F2C8860327 for ; Thu, 14 Dec 2017 00:27:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E21BE299EF for ; Thu, 14 Dec 2017 00:27:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D6E5F299D3; Thu, 14 Dec 2017 00:27:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06A60299EB for ; Thu, 14 Dec 2017 00:27:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751502AbdLNA1L (ORCPT ); Wed, 13 Dec 2017 19:27:11 -0500 Received: from mail-sn1nam02on0048.outbound.protection.outlook.com ([104.47.36.48]:59601 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750749AbdLNA1I (ORCPT ); Wed, 13 Dec 2017 19:27:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onevmw.onmicrosoft.com; s=selector1-vmware-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=w7lsGkOR95EYE2zEWL54eF375oHK7167CP58kdJ57T8=; b=Nl2mKjEj+UcWT0W6U+POmBvVeD8HTCO9wP+Rzj2aEi8sbEIOzLWUQy6WI5CRJKGT0lrMIpF5jB7muofbCNpspMLGLHFP6YXIXCPFdJ80HSuq6TY8hGfqqEp2liasw/lo7JKeFqNybE8CWoqcEvhx57pZpek1nUUCcNjYnIhlGgM= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=bryantan@vmware.com; Received: from bryantan-devbox.prom.eng.vmware.com.prom.eng.vmware.com (208.91.1.34) by CY1PR05MB2779.namprd05.prod.outlook.com (10.167.18.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.2; Thu, 14 Dec 2017 00:27:06 +0000 Date: Wed, 13 Dec 2017 16:26:49 -0800 From: Bryan Tan To: linux-rdma@vger.kernel.org Subject: [PATCH v1 for-rc 8/8] RDMA/vmw_pvrdma: Use completion instead of wait queue Message-ID: <20171214002638.GA20297@bryantan-devbox.prom.eng.vmware.com.prom.eng.vmware.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20171214001753.GA9780@bryantan-devbox.prom.eng.vmware.com.prom.eng.vmware.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [208.91.1.34] X-ClientProxiedBy: VI1PR0602CA0020.eurprd06.prod.outlook.com (10.175.26.158) To CY1PR05MB2779.namprd05.prod.outlook.com (10.167.18.25) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 850ff2b5-4d8e-458b-1b71-08d542896882 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:CY1PR05MB2779; X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2779; 3:q0BuHh9xViP0jAkITw1EVgXIox7h2BbAtFYJqnWxWLJH8T7Tdu8bQpRWwI/PAtIV/NMDcHZkSZi2mTGXaCtEqdKuasoMWdWhIjWmYjorEUR1InPy9o9e9/iGo363UQnfrldVF5NljJHGJs579WVJwSPES1Fx3HtsoPPn31xQRQJLFTYTaDVKwo9y4upeSyl2G+kywasOMiTdeTes3F02gvTf1G4Ebh3e52T375mv/nnK8x4noS7SOWRmnOFBv9tS; 25:l1SCvjRmqRvto2Hqk04Dnu8sBOFRS5cSvUcTt45U1lEyIilQbZcm10ATPs6QOdaIubAoT6lwixbsyjoztZFxenXAB/5ZavlUnOSXMChrUTPZq1d4KXT35Yq8rzxTqchV05jpI+G+Yle3L/0RsDufPZQkjCsitzMWDtw19qTCePbbl5SrWJhX+GMuuXEb9nliEvphCa9hTYE3SornKDoZDeZslTUU+S/0Zu+Si+Mm0XSPsD/oYBlTm0oP2/ZsjDAa1drIsQELZZ4OprAp/LDxohTJyTrjLHBRI6SZEFKAOkMXnMcDUwYLUA+h3DO1PZJ6mro8Z0dcm41oSBbdjafJsg==; 31:cCvTqc6cU13ieuAUY0S8ipalaapR5y6uGwe3l9XpSptgYHva7/EeO5jVgB+adNPBqIEXTqpnqOVsAtoUqWdOlgL344/Gs+T6KCjKwRCOzvXNqBhM51gbddKtPODByiBrnB2P2EVrQVG+gJs9bpLzWMYsADYnkSJOGQK32c2KaB3494ZqhAm1tN4IUuv9NHMkuv2t5EQsb51SHqdZRcax3P6ByfpPWPJuKVt7ehM9H9s= X-MS-TrafficTypeDiagnostic: CY1PR05MB2779: X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2779; 20:/drU7DrNJEIu9sTyZe3jL57nUxddOICL4mVcv2EjbPb48GvwTe+AwDZ3pSPVcdoa7x/fDURCX9CmRN86dfEEM9tDb/lD/MuRmBi5onAUe9KdAUJgBE6k7iP1/SfOHveMt0pkL8wUsyBR/AC47lickBgP3f/zYhFIg7TqXFGXyC4yM53g6qifx1oLUmygYzPYIBk7456mEdO1iZ789h22Owu1mP6vSCCZVqv6pZ7u79P7a77DC2G3AsqECdzlLT0yQM9h7SSCgCpOIIePhplwteCihaBhs8ztRLVNjkzoZVzI1QgfARGBd5lIYIIyESXw9LSmHyH47WNh7jfvqYf/hLXmnsXrzVh22eG+tDESHxkUcX6bXR6+YEiKmMhPLdQwId9qx8PX6OYVcxWC8Phjrq4EqhEAKbmIxqKJHIngo/C+zLLLk2WOrxY3BqpcET7RMHYTuBpTN/lYNliFdhPs1bFOxR5twO8fLmwEJdO6ZtcV91lK2Ry7qf44HlIg++D/; 4:0V4Bl7GmPdU/7YV1ZmsdsXwuQGGBp0jFNhMiP/6KxDJy4PGVXBMSud7b2QiMuoBM/MdDlxeIzAg3+loziG9YkziXt0JTGG9YbEFMPyoFq4f5kMh+xsWBHUqdqR7b5+KNgON7QjjqjV/JSiFf95sFGXegAPCWRSDAYqHCmcFdByHehptImg5VbO39zhsdKTBhtrzOaDxCJhdBAfbLOJJ3a9i/uzEX2Qg87NQrwhoQyHqz0qCPDdEBeqp/7XeulepWXcITfiLFnVAUGG4HxDvM08B5m4uWCb2MSCKgnurZpJrJ4M9G95+y83MtGNie5Nsa X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(61668805478150); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231023)(93006095)(93001095)(6041248)(20161123555025)(20161123560025)(20161123558100)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:CY1PR05MB2779; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY1PR05MB2779; X-Forefront-PRVS: 05214FD68E X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(346002)(396003)(366004)(376002)(39860400002)(189003)(199004)(86362001)(2906002)(53936002)(5660300001)(52116002)(7696005)(16526018)(2351001)(2361001)(478600001)(50466002)(25786009)(55016002)(59450400001)(2950100002)(7736002)(8936002)(6916009)(6666003)(97736004)(386003)(66066001)(83506002)(316002)(106356001)(23726003)(8676002)(33656002)(16586007)(58126008)(68736007)(105586002)(6116002)(1076002)(3846002)(47776003)(81166006)(81156014)(305945005)(18370500001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR05MB2779; H:bryantan-devbox.prom.eng.vmware.com.prom.eng.vmware.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR05MB2779; 23:nL62Jq9ILOjYoz79s7APd5+rtuF3DggQ+6fC7wO3i?= =?us-ascii?Q?g8tXjkDelHi/BWPNzbhr2j8clOXowDjeKqNrFUqS8QgbyjB/Edn7LM54QIME?= =?us-ascii?Q?PPCpW8vnZFrV6sOgb/Y42RO5Wq03idBNF9lYnyhyi1zMhhF/3ew9OGdX642I?= =?us-ascii?Q?xgdGTzBAtnrmvStTR+7QExD0yF3Qqa+eLXn7K5yMyNCLi2/9I/SNyFwdRy8J?= =?us-ascii?Q?NRe/F5Ithd2cq+9+7jroHKl+vmklPUYzxLqmxavK1rYAO5AbqKsO/wstfz80?= =?us-ascii?Q?sXmOC/1lQV4/JRByOJkx13PrS5WnYmjPedWSVtlXaX18JHgQ7Gi4U2RG4PZb?= =?us-ascii?Q?4X+onERuKUJ+Vxi/uC6N+3RAKc3COMsDvqkjv4BUdZPgnlaGe0WjzyOr7Ufo?= =?us-ascii?Q?YjqHCWtnKizXkclFdaB2myj4Q5Mqs7kgcREJRzPZg9A7Bko8SE0p3OuBQPRo?= =?us-ascii?Q?w21VkHLiQF7bw54bxl2zndum+cB113cAR7J8hztzoIbe6eF9W07F6Bgk6bzM?= =?us-ascii?Q?Xei8mImk/62nZGj0yEScxo+QNNvIKLmvvkce80+Y5jzTPEM35mhpEBIxg9Pw?= =?us-ascii?Q?Uwk2mfIRs4Mz0w4FReVMkBl0WaowdPlGV3LTybJC6EQi5w3VU5OSTe+lAfSU?= =?us-ascii?Q?5j8UuLglsRFl0/fP5JMn1PP9BHnz9kgFSVh6CGQCBkC9PkDYf+6Yat6f75SH?= =?us-ascii?Q?pAlPiHGdbmqF8qNjpTatb9bg5ScEI81q4T6kjxUzvSobfa5zSGzT/antec0M?= =?us-ascii?Q?1Cv4ALHArVK40nW3+3A9d02z6AEFiybfQO73o0ibWF361K3QYpIF1PTRFSwT?= =?us-ascii?Q?NEkjjp+T8P/dvzLWeVPpskmcvF4a+9bqvRhPzjJ3R9WJeSnzM2I9QjBh2XMq?= =?us-ascii?Q?xrZuypJytN8FXRbhVx0AQoADTR9xKcO45aT406MVSWop5AciPIfzdXwufIMg?= =?us-ascii?Q?8wpOFMD0RB5soQuENkZB5PtBqR3vCW/Z9Xt28000IyZTcz/EYn5+f8JDRhKR?= =?us-ascii?Q?7IsmGp3I7HgdISUg7AwIdtAX7mXNXmmgERaOqhvQ+hIZte3mPLM8TQ8ckgOK?= =?us-ascii?Q?oKeSjS1Z6zVrlfddeg14+hYVjtnh+yT8Bbr7bTcTmGQPBmCIg=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2779; 6:H1kvQM5BXxXMPn6OW/SKroA75NR3KAKD86C2aEjZayZ+2gNm4FypPzmUT0Rpj4cTv/qoch/3IiycZ5YcLFFcBYBrSqijeKzzrdNPEgT8m1+45bKal/Ynqxl5U1sFP6z0hKWucERxRg/aUhVNrfatAQl+OIAXTggqE95L65QabE/kn6JS90Dh1Qvk6z89I92fvAacVbsu3O8rBLa2CC0PB51CKzQz5y4S1RAcmlQj7Lid9p2S2lAylro3C7KpyiiVqQvMyh5HYvpJvzb3bgmnw1Y5hzhc0lC04vrApASyzvc5mEyzJ6TLVGcCvr9G0/NJFVBZIy0rt5w4j5XQSvuyG/IG2D+CZBnW+OtIqsnKXTs=; 5:4eDOQvvnlbvjStisSwK2Z95x0jEb7THcm30Vkcd5ieBz1Syu6ZZL5gKE8Ic0T2anpDULnBn8T3yoY6iri9ssAtd43VX5SLrM/ACMUfBVXJ+ZqnxsmZaZ1XM0v6q5tjfKis+MilX2UB96Z8PkAX8aBRC1K9abrNwHK8ys4lXXRvk=; 24:o7uJ0cjUEUXAOCXRz0QshJJUzP12I/iRpuLzf2MGbxhgRdfK5BnAcFZgliTXcvl36aECfwONBjDvB2x50QgMDnAchUn9rsJqyk0wHundUfQ=; 7:uHuDhA9jKX8ShXrNqrYLp0yHnEhvw0zGaDWOX7qJW4cpt1syJHQVED9MlLyuETqxIMb6qgq8C2IKPdpFmf/Ue/7EgN5tqTMh2TaSYGMXbbvpRnsJyHD9elcUcirXIF4TAd+rCVDbU/9qRVZwoAd78dAM2b4VfLI1cR/DqU/HQLT0f9Solh/TTtaAZ6e6DaD9VQ75044gnfns0t8vN9MudIyR4KZe6em/tjsbhlZ4JgoTTModVYJGIBr5DHb0QkNe SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY1PR05MB2779; 20:VIqtyM+aC6O38piJSapjq06gSkJu0KZ2hVK+NchRSFmqvbCZyz1mB/OIJqj7E6QkeAZf5VoFUt97jMSstcx0f/nw3QTJOmI3f+vnZRquJRKqUVVcrDZivdnt6u2ecOdX9ZpOvvED3xNiRRHmeyuEkxtCoGi8D1GHPd8I6uNH+q0= X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2017 00:27:06.1915 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 850ff2b5-4d8e-458b-1b71-08d542896882 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR05MB2779 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The use of wait queues in vmw_pvrdma for handling concurrent access to a resource leaves a possible use after free bug. Fix this by using completions instead. Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver") Signed-off-by: Bryan Tan --- drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 6 +++--- drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c | 7 ++++--- drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c | 8 ++++---- drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c | 7 ++++--- drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c | 7 ++++--- 5 files changed, 19 insertions(+), 16 deletions(-) diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h index 07d287e..44cb1cf 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h @@ -94,7 +94,7 @@ struct pvrdma_cq { u32 cq_handle; bool is_kernel; refcount_t refcnt; - wait_queue_head_t wait; + struct completion free; }; struct pvrdma_id_table { @@ -175,7 +175,7 @@ struct pvrdma_srq { u32 srq_handle; int npages; refcount_t refcnt; - wait_queue_head_t wait; + struct completion free; }; struct pvrdma_qp { @@ -197,7 +197,7 @@ struct pvrdma_qp { bool is_kernel; struct mutex mutex; /* QP state mutex. */ refcount_t refcnt; - wait_queue_head_t wait; + struct completion free; }; struct pvrdma_dev { diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c index 9dba949..faa9478 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c @@ -178,7 +178,7 @@ struct ib_cq *pvrdma_create_cq(struct ib_device *ibdev, pvrdma_page_dir_insert_umem(&cq->pdir, cq->umem, 0); refcount_set(&cq->refcnt, 1); - init_waitqueue_head(&cq->wait); + init_completion(&cq->free); spin_lock_init(&cq->cq_lock); memset(cmd, 0, sizeof(*cmd)); @@ -229,8 +229,9 @@ struct ib_cq *pvrdma_create_cq(struct ib_device *ibdev, static void pvrdma_free_cq(struct pvrdma_dev *dev, struct pvrdma_cq *cq) { - if (!refcount_dec_and_test(&cq->refcnt)) - wait_event(cq->wait, !refcount_read(&cq->refcnt)); + if (refcount_dec_and_test(&cq->refcnt)) + complete(&cq->free); + wait_for_completion(&cq->free); if (!cq->is_kernel) ib_umem_release(cq->umem); diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c index 5cff9fa..939ac2f 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c @@ -347,7 +347,7 @@ static void pvrdma_qp_event(struct pvrdma_dev *dev, u32 qpn, int type) } if (qp) { if (refcount_dec_and_test(&qp->refcnt)) - wake_up(&qp->wait); + complete(&qp->free); } } @@ -373,7 +373,7 @@ static void pvrdma_cq_event(struct pvrdma_dev *dev, u32 cqn, int type) } if (cq) { if (refcount_dec_and_test(&cq->refcnt)) - wake_up(&cq->wait); + complete(&cq->free); } } @@ -402,7 +402,7 @@ static void pvrdma_srq_event(struct pvrdma_dev *dev, u32 srqn, int type) } if (srq) { if (refcount_dec_and_test(&srq->refcnt)) - wake_up(&srq->wait); + complete(&srq->free); } } @@ -538,7 +538,7 @@ static irqreturn_t pvrdma_intrx_handler(int irq, void *dev_id) cq->ibcq.comp_handler(&cq->ibcq, cq->ibcq.cq_context); if (cq) { if (refcount_dec_and_test(&cq->refcnt)) - wake_up(&cq->wait); + complete(&cq->free); } pvrdma_idx_ring_inc(&ring->cons_head, ring_slots); } diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c index 9745cb1..7bf518b 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c @@ -246,7 +246,7 @@ struct ib_qp *pvrdma_create_qp(struct ib_pd *pd, spin_lock_init(&qp->rq.lock); mutex_init(&qp->mutex); refcount_set(&qp->refcnt, 1); - init_waitqueue_head(&qp->wait); + init_completion(&qp->free); qp->state = IB_QPS_RESET; qp->is_kernel = !(pd->uobject && udata); @@ -427,8 +427,9 @@ static void pvrdma_free_qp(struct pvrdma_qp *qp) pvrdma_unlock_cqs(scq, rcq, &scq_flags, &rcq_flags); - if (!refcount_dec_and_test(&qp->refcnt)) - wait_event(qp->wait, !refcount_read(&qp->refcnt)); + if (refcount_dec_and_test(&qp->refcnt)) + complete(&qp->free); + wait_for_completion(&qp->free); if (!qp->is_kernel) { if (qp->rumem) diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c index a2b1a3c..5acebb1 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c @@ -149,7 +149,7 @@ struct ib_srq *pvrdma_create_srq(struct ib_pd *pd, spin_lock_init(&srq->lock); refcount_set(&srq->refcnt, 1); - init_waitqueue_head(&srq->wait); + init_completion(&srq->free); dev_dbg(&dev->pdev->dev, "create shared receive queue from user space\n"); @@ -236,8 +236,9 @@ static void pvrdma_free_srq(struct pvrdma_dev *dev, struct pvrdma_srq *srq) dev->srq_tbl[srq->srq_handle] = NULL; spin_unlock_irqrestore(&dev->srq_tbl_lock, flags); - if (!refcount_dec_and_test(&srq->refcnt)) - wait_event(srq->wait, !refcount_read(&srq->refcnt)); + if (refcount_dec_and_test(&srq->refcnt)) + complete(&srq->free); + wait_for_completion(&srq->free); /* There is no support for kernel clients, so this is safe. */ ib_umem_release(srq->umem);