From patchwork Tue Oct 30 13:54:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Boyer <andrew.boyer@dell.com>
X-Patchwork-Id: 10660953
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 369421932
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue, 30 Oct 2018 13:55:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D8C4299B0
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue, 30 Oct 2018 13:55:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 11ABE2A4FA; Tue, 30 Oct 2018 13:55:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76D12299B0
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Tue, 30 Oct 2018 13:55:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727650AbeJ3WtR (ORCPT
        <rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
        Tue, 30 Oct 2018 18:49:17 -0400
Received: from esa8.dell-outbound.iphmx.com ([68.232.149.218]:65066 "EHLO
        esa8.dell-outbound.iphmx.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727705AbeJ3WtR (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>);
        Tue, 30 Oct 2018 18:49:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=dell.com; i=@dell.com; q=dns/txt; s=smtpout;
  t=1540907742; x=1572443742;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=rUtXP136aGF3T7pOl80usliCCHQJyCRAfhq+3SaRWbA=;
  b=yB7O/2P45uHCNaTiSbcPcXWEe2vuy22gN2xg3RsAfznBSC5IwLPsVqgs
   cj8ADdV1B+g/bqbuE4DUcsHfmmXJG5IGLLac4hnSmw+qp6jf7RAU/ebWX
   3veqXPVfL2ZmMAmbZty8l5e/Md7AW09qkePZwNoNCJoS86QzTYZvW42gd
   Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A2EPAACKYdhbhyeV50NkHAEBAQQBAQcEAQGBUQcBAQsBgVWCFCiMDl+kZhSBZgsBAYRsAoNHNA0NAQMBAQIBAQIBAQIQAQEBCgsJCCkvgjYigmQCAQMSFVIQUVcHEiKCf4ICnSICgRCJWAEBAYFoM4U8hGqHQYV+P4ERgmSFFIVzAohZGgeHLo5oBwKCEgSOZgsYkEiWfwIEAgQFAhSBQ4IOMxojgzyCJg4JjjZTi3gBAQ
X-IPAS-Result: 
 A2EPAACKYdhbhyeV50NkHAEBAQQBAQcEAQGBUQcBAQsBgVWCFCiMDl+kZhSBZgsBAYRsAoNHNA0NAQMBAQIBAQIBAQIQAQEBCgsJCCkvgjYigmQCAQMSFVIQUVcHEiKCf4ICnSICgRCJWAEBAYFoM4U8hGqHQYV+P4ERgmSFFIVzAohZGgeHLo5oBwKCEgSOZgsYkEiWfwIEAgQFAhSBQ4IOMxojgzyCJg4JjjZTi3gBAQ
Received: from mx0a-00154901.pphosted.com (HELO mx0b-00154901.pphosted.com)
 ([67.231.149.39])
  by esa8.dell-outbound.iphmx.com with ESMTP/TLS/AES256-SHA256;
 30 Oct 2018 08:55:41 -0500
Received: from pps.filterd (m0090350.ppops.net [127.0.0.1])
        by mx0b-00154901.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id
 w9UDm69Y021181
        for <linux-rdma@vger.kernel.org>; Tue, 30 Oct 2018 09:55:41 -0400
Received: from esa5.dell-outbound2.iphmx.com (esa5.dell-outbound2.iphmx.com
 [68.232.153.203])
        by mx0b-00154901.pphosted.com with ESMTP id 2ner0pg86w-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=FAIL)
        for <linux-rdma@vger.kernel.org>; Tue, 30 Oct 2018 09:55:41 -0400
Received: from mailuogwhop.emc.com ([168.159.213.141])
  by esa5.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA256;
 30 Oct 2018 19:55:38 +0600
Received: from maildlpprd01.lss.emc.com (maildlpprd01.lss.emc.com
 [10.253.24.33])
        by mailuogwprd03.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0)
 with ESMTP id w9UDtbAD011352
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=NO);
        Tue, 30 Oct 2018 09:55:38 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com w9UDtbAD011352
Received: from mailsyshubprd06.lss.emc.com (mailsyshubprd06.lss.emc.com
 [10.253.24.24]) by maildlpprd01.lss.emc.com (RSA Interceptor);
 Tue, 30 Oct 2018 09:55:19 -0400
Received: from hopcyc-boyera-1-00.cec.lab.emc.com
 (hopcyc-boyera-1-00.cec.lab.emc.com [10.244.196.91])
        by mailsyshubprd06.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0)
 with ESMTP id w9UDseSL028002;
        Tue, 30 Oct 2018 09:55:19 -0400
From: Andrew Boyer <andrew.boyer@dell.com>
To: monis@mellanox.com, yonatanc@mellanox.com,
        linux-rdma@vger.kernel.org
Cc: Andrew Boyer <andrew.boyer@dell.com>
Subject: [PATCH 1/4] RDMA/rxe: Avoid double-free panic on transmit error
Date: Tue, 30 Oct 2018 09:54:24 -0400
Message-Id: <20181030135427.19036-2-andrew.boyer@dell.com>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20181030135427.19036-1-andrew.boyer@dell.com>
References: <20181030135427.19036-1-andrew.boyer@dell.com>
X-RSA-Classifications: public
X-Sentrion-Hostname: mailuogwprd03.lss.emc.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
 definitions=2018-10-30_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1807170000 definitions=main-1810300121
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A previous commit removed the skb_clone() from rxe_send(). Instead, the
original skb is passed to ip[6]_local_out(). Thus, the network stack owns
the original skb, and the error handling code after rxe_xmit_packet() must
not try to free it again.

[  306.296924] kernel BUG at ../source/mm/slub.c:295!
[  306.298438] invalid opcode: 0000 [#1] SMP NOPTI
[  306.351552] task: ffff94e7ee271e40 task.stack: ffffa43382db4000
[  306.353363] RIP: 0010:kfree+0x173/0x180
[  306.354516] RSP: 0018:ffffa43382db7b60 EFLAGS: 00010246
[  306.356063] RAX: ffff94e6ab96ee00 RBX: ffff94e6ab96ee00 RCX: ffff94e6ab96ee00
[  306.358193] RDX: 0000000000007183 RSI: ffff94e7ffd24be0 RDI: ffff94e7f7003080
[  306.360327] RBP: ffff94e7ef963800 R08: ffffffffaac14e40 R09: ffffffffaa4c87de
[  306.362473] R10: ffffe13b84ae5b80 R11: ffff94e7ef963800 R12: ffffffffaa4c87de
[  306.364725] R13: 0000000000000000 R14: ffff94e7a4236590 R15: ffff94e7f0dc0000
[  306.366845] FS:  00007ff34f3e8700(0000) GS:ffff94e7ffd00000(0000) knlGS:0000000000000000
[  306.369297] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  306.371056] CR2: 00007ff347837080 CR3: 0000000146490002 CR4: 00000000001606e0
[  306.373317] Call Trace:
[  306.374222]  ? rxe_requester+0xea7/0x16e0 [rdma_rxe]
[  306.375750]  kfree_skb+0x2e/0x90
[  306.376725]  rxe_requester+0xea7/0x16e0 [rdma_rxe]
[  306.378158]  rxe_do_task+0x85/0xf0 [rdma_rxe]
[  306.379521]  rxe_queue_resize+0x8d1/0x1d30 [rdma_rxe]
[  306.381041]  ? ib_copy_path_rec_to_user+0x54b/0x7d0 [ib_uverbs]
[  306.382781]  ib_uverbs_post_send+0x5ac/0x680 [ib_uverbs]
[  306.384438]  ? dequeue_entity+0x539/0xad0
[  306.385618]  0xffffffffc09593b2
[  306.386548]  ? __schedule+0x2eb/0x890
[  306.387669]  ? hrtimer_start_range_ns+0x19e/0x3a0
[  306.389100]  __vfs_write+0x33/0x170
[  306.390274]  ? __inode_security_revalidate+0x4a/0x70
[  306.391739]  ? selinux_file_permission+0xdd/0x130
[  306.393145]  ? security_file_permission+0x36/0xb0
[  306.394561]  vfs_write+0xb3/0x1a0
[  306.395950]  SyS_write+0x52/0xc0
[  306.397180]  do_syscall_64+0x66/0x1d0
[  306.398615]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[  306.400245] RIP: 0033:0x7ff34f12a79d
[  306.401343] RSP: 002b:00007ff337e406f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[  306.403938] RAX: ffffffffffffffda RBX: 0000000032de2970 RCX: 00007ff34f12a79d
[  306.406014] RDX: 0000000000000020 RSI: 00007ff337e40730 RDI: 000000000000003b
[  306.408134] RBP: 0000000000000000 R08: 0000000000000508 R09: 00007ff34ad1cee0
[  306.410278] R10: 0000000000000006 R11: 0000000000000293 R12: 0000000000000001
[  306.412482] R13: 00007ff316d28280 R14: 000000000000004c R15: 0000000000000000
[  306.414671] Code: 80 74 04 41 8b 72 6c 5b 5d 41 5c 4c 89 d7 e9 f5 b0 f9 ff 48 89 d9 48 89 da 41 b8 01 00 00 00 5b 5d 41 5c 4c 89 d6 e9 0d f6 ff ff <0f> 0b 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41
[  306.422327] RIP: kfree+0x173/0x180 RSP: ffffa43382db7b60

Fixes: 5793b4652155 ("IB/rxe: remove unnecessary skb_clone in xmit")

Signed-off-by: Andrew Boyer <andrew.boyer@dell.com>
---
 drivers/infiniband/sw/rxe/rxe_loc.h  | 1 +
 drivers/infiniband/sw/rxe/rxe_req.c  | 3 +--
 drivers/infiniband/sw/rxe/rxe_resp.c | 7 +------
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h
index b71023c1c58b..f139ea2e3c1b 100644
--- a/drivers/infiniband/sw/rxe/rxe_loc.h
+++ b/drivers/infiniband/sw/rxe/rxe_loc.h
@@ -254,6 +254,7 @@ static inline unsigned int wr_opcode_mask(int opcode, struct rxe_qp *qp)
 	return rxe_wr_opcode_info[opcode].mask[qp->ibqp.qp_type];
 }
 
+/* The caller must not touch the skb after calling this function */
 static inline int rxe_xmit_packet(struct rxe_dev *rxe, struct rxe_qp *qp,
 				  struct rxe_pkt_info *pkt, struct sk_buff *skb)
 {
diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
index 7bdaf71b8221..78210c1d15d8 100644
--- a/drivers/infiniband/sw/rxe/rxe_req.c
+++ b/drivers/infiniband/sw/rxe/rxe_req.c
@@ -709,6 +709,7 @@ int rxe_requester(void *arg)
 
 	if (fill_packet(qp, wqe, &pkt, skb, payload)) {
 		pr_debug("qp#%d Error during fill packet\n", qp_num(qp));
+		kfree_skb(skb);
 		goto err;
 	}
 
@@ -728,7 +729,6 @@ int rxe_requester(void *arg)
 		rollback_state(wqe, qp, &rollback_wqe, rollback_psn);
 
 		if (ret == -EAGAIN) {
-			kfree_skb(skb);
 			rxe_run_task(&qp->req.task, 1);
 			goto exit;
 		}
@@ -741,7 +741,6 @@ int rxe_requester(void *arg)
 	goto next_wqe;
 
 err:
-	kfree_skb(skb);
 	wqe->status = IB_WC_LOC_PROT_ERR;
 	wqe->state = wqe_state_error;
 	__rxe_do_task(&qp->comp.task);
diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index a65c9969f7fc..871bd6d8a11c 100644
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -742,7 +742,6 @@ static enum resp_states read_reply(struct rxe_qp *qp,
 	err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb);
 	if (err) {
 		pr_err("Failed sending RDMA reply.\n");
-		kfree_skb(skb);
 		return RESPST_ERR_RNR;
 	}
 
@@ -954,11 +953,8 @@ static int send_ack(struct rxe_qp *qp, struct rxe_pkt_info *pkt,
 	}
 
 	err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb);
-	if (err) {
+	if (err)
 		pr_err_ratelimited("Failed sending ack\n");
-		kfree_skb(skb);
-	}
-
 err1:
 	return err;
 }
@@ -1141,7 +1137,6 @@ static enum resp_states duplicate_request(struct rxe_qp *qp,
 			if (rc) {
 				pr_err("Failed resending result. This flow is not handled - skb ignored\n");
 				rxe_drop_ref(qp);
-				kfree_skb(skb_copy);
 				rc = RESPST_CLEANUP;
 				goto out;
 			}