From patchwork Wed Jan  3 21:39:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bart Van Assche <bart.vanassche@wdc.com>
X-Patchwork-Id: 10143501
X-Patchwork-Delegate: dledford@redhat.com
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	41FEB60594 for <patchwork-linux-rdma@patchwork.kernel.org>;
	Wed,  3 Jan 2018 21:40:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3316929361
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Wed,  3 Jan 2018 21:40:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 282612936D; Wed,  3 Jan 2018 21:40:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDFCF29361
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Wed,  3 Jan 2018 21:40:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751207AbeACVkL (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Wed, 3 Jan 2018 16:40:11 -0500
Received: from esa5.hgst.iphmx.com ([216.71.153.144]:15633 "EHLO
	esa5.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751206AbeACVjl (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Wed, 3 Jan 2018 16:39:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
	t=1515015582; x=1546551582;
	h=from:to:cc:subject:date:message-id:in-reply-to: references;
	bh=cpdjgHGcVsAPitkDynowQ3iAINMyWtDR9//TvMM84rc=;
	b=gvYUFKexq6jodYkFb5HvwPJMe8LZJLLfrdIq46Y40x1nd33WVd82TxmX
	tSOQf6UTaGZlraKHWQZNPSl1eJKQ6SFWM5vhMjrYSogW4RuujMrIDfzje
	l3Zsl7FZh1ow20Mr2mOYpr9iVF9xw8OJlRweAO52xChQToDJshIR+lNvK
	nqiiN3DAX323NNgKdPMxS0m0cNT88dmiZQgP9pigyZDi76dfCn3HZHA4W
	bqa5CaB76UK5kz6ceIGBu00KK7npGZDiP1nkbP67BCRZM/TqTzCDWkjCi
	BYLhOys9Tz54TPUFUbLyrn4vhBhc69+/bZOr60VE+8TpU7RZrWZl1Mz+c
	g==;
X-IronPort-AV: E=Sophos;i="5.45,504,1508774400"; d="scan'208";a="67691800"
Received: from uls-op-cesaip01.wdc.com (HELO uls-op-cesaep01.wdc.com)
	([199.255.45.14])
	by ob1.hgst.iphmx.com with ESMTP; 04 Jan 2018 05:39:40 +0800
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
	by uls-op-cesaep01.wdc.com with ESMTP; 03 Jan 2018 13:35:49 -0800
Received: from thinkpad-bart.sdcorp.global.sandisk.com (HELO
	thinkpad-bart.int.fusionio.com) ([10.11.171.236])
	by uls-op-cesaip02.wdc.com with ESMTP; 03 Jan 2018 13:39:40 -0800
From: Bart Van Assche <bart.vanassche@wdc.com>
To: Jason Gunthorpe <jgg@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>, linux-rdma@vger.kernel.org,
	Bart Van Assche <bart.vanassche@wdc.com>
Subject: [PATCH 10/28] IB/srpt: Rework srpt_disconnect_ch_sync()
Date: Wed,  3 Jan 2018 13:39:20 -0800
Message-Id: <20180103213938.11664-11-bart.vanassche@wdc.com>
X-Mailer: git-send-email 2.15.1
In-Reply-To: <20180103213938.11664-1-bart.vanassche@wdc.com>
References: <20180103213938.11664-1-bart.vanassche@wdc.com>
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This patch fixes a use-after-free issue for ch->release_done when
running the SRP protocol on top of the rdma_rxe driver.

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c | 40 +++++++++++++++++++++--------------
 drivers/infiniband/ulp/srpt/ib_srpt.h |  2 --
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index d7143cf6a882..943fec0d0548 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1787,6 +1787,24 @@ static int srpt_disconnect_ch(struct srpt_rdma_ch *ch)
 	return ret;
 }
 
+static bool srpt_ch_closed(struct srpt_device *sdev, struct srpt_rdma_ch *ch)
+{
+	struct srpt_rdma_ch *ch2;
+	bool res = true;
+
+	rcu_read_lock();
+	list_for_each_entry(ch2, &sdev->rch_list, list) {
+		if (ch2 == ch) {
+			res = false;
+			goto done;
+		}
+	}
+done:
+	rcu_read_unlock();
+
+	return res;
+}
+
 /*
  * Send DREQ and wait for DREP. Return true if and only if this function
  * changed the state of @ch.
@@ -1794,31 +1812,24 @@ static int srpt_disconnect_ch(struct srpt_rdma_ch *ch)
 static bool srpt_disconnect_ch_sync(struct srpt_rdma_ch *ch)
 	__must_hold(&sdev->mutex)
 {
-	DECLARE_COMPLETION_ONSTACK(release_done);
 	struct srpt_device *sdev = ch->sport->sdev;
-	bool wait;
+	int ret;
 
 	lockdep_assert_held(&sdev->mutex);
 
 	pr_debug("ch %s-%d state %d\n", ch->sess_name, ch->qp->qp_num,
 		 ch->state);
 
-	WARN_ON(ch->release_done);
-	ch->release_done = &release_done;
-	wait = !list_empty(&ch->list);
-	srpt_disconnect_ch(ch);
+	ret = srpt_disconnect_ch(ch);
 	mutex_unlock(&sdev->mutex);
 
-	if (!wait)
-		goto out;
-
-	while (wait_for_completion_timeout(&release_done, 180 * HZ) == 0)
+	while (wait_event_timeout(sdev->ch_releaseQ, srpt_ch_closed(sdev, ch),
+				  5 * HZ) == 0)
 		pr_info("%s(%s-%d state %d): still waiting ...\n", __func__,
 			ch->sess_name, ch->qp->qp_num, ch->state);
 
-out:
 	mutex_lock(&sdev->mutex);
-	return wait;
+	return ret == 0;
 }
 
 static void srpt_set_enabled(struct srpt_port *sport, bool enabled)
@@ -1862,8 +1873,7 @@ static void srpt_release_channel_work(struct work_struct *w)
 	struct se_session *se_sess;
 
 	ch = container_of(w, struct srpt_rdma_ch, release_work);
-	pr_debug("%s: %s-%d; release_done = %p\n", __func__, ch->sess_name,
-		 ch->qp->qp_num, ch->release_done);
+	pr_debug("%s: %s-%d\n", __func__, ch->sess_name, ch->qp->qp_num);
 
 	sdev = ch->sport->sdev;
 	BUG_ON(!sdev);
@@ -1892,8 +1902,6 @@ static void srpt_release_channel_work(struct work_struct *w)
 
 	mutex_lock(&sdev->mutex);
 	list_del_init(&ch->list);
-	if (ch->release_done)
-		complete(ch->release_done);
 	mutex_unlock(&sdev->mutex);
 
 	wake_up(&sdev->ch_releaseQ);
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.h b/drivers/infiniband/ulp/srpt/ib_srpt.h
index d2c08ca2bd74..3f4142edc53b 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
@@ -261,7 +261,6 @@ enum rdma_ch_state {
  * @sess_name:     Session name.
  * @ini_guid:      Initiator port GUID.
  * @release_work:  Allows scheduling of srpt_release_channel().
- * @release_done:  Enables waiting for srpt_release_channel() completion.
  */
 struct srpt_rdma_ch {
 	struct ib_cm_id		*cm_id;
@@ -290,7 +289,6 @@ struct srpt_rdma_ch {
 	u8			sess_name[36];
 	u8			ini_guid[24];
 	struct work_struct	release_work;
-	struct completion	*release_done;
 };
 
 /**