From patchwork Wed Mar 27 13:42:54 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Boyer <andrew.boyer@dell.com>
X-Patchwork-Id: 10873529
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E8E4139A
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed, 27 Mar 2019 13:52:26 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6469128D97
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed, 27 Mar 2019 13:52:26 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 627EE28D66; Wed, 27 Mar 2019 13:52:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,TVD_RCVD_SPACE_BRACKET
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 00D3E28D97
	for <patchwork-linux-rdma@patchwork.kernel.org>;
 Wed, 27 Mar 2019 13:52:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728315AbfC0NwY (ORCPT
        <rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
        Wed, 27 Mar 2019 09:52:24 -0400
Received: from esa7.dell-outbound.iphmx.com ([68.232.153.96]:51811 "EHLO
        esa7.dell-outbound.iphmx.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726233AbfC0NwY (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>);
        Wed, 27 Mar 2019 09:52:24 -0400
X-Greylist: delayed 502 seconds by postgrey-1.27 at vger.kernel.org;
 Wed, 27 Mar 2019 09:52:23 EDT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=dell.com; i=@dell.com; q=dns/txt; s=smtpout;
  t=1553694738; x=1585230738;
  h=from:to:cc:subject:date:message-id;
  bh=5FPFPZ5A6/ZgyOeSr9J0kAIwDceaoBEJYh2lwH+GrWY=;
  b=p782TqpGZUxr1Lc+FxumQg8SYMH7dbYHsxvG/njgRhFukxqXwHzolRA7
   C/o73bbrDIpts+h/ZurX/j7EQPD4ZvtHrkMFdcU/ZySb9yrETKkKgdrs9
   mEJmIcENEgmidFU1CjoaXHLCKzCFK/jLDkqFsc9ozfYrURANjruGknGIB
   w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A2EkAADLfJtchyWd50NjHAEBAQQBAQcEAQGBUwUBAQsBgWaCAxInjQmlDoF7DQEBhGyFUzYHDQEBAwEBCQEDAgEBAhABAQEKCwkIKS+COiKCchYMCVKBPxIigjVLgXadYD0Cb4EBiQcBAQGBazOFRoRogS8BhmmGHz+BEYJkbIolA4ogmwsHAoJLBJBsDBqUCwGIMYJ7kzoCBAIEBQIVgVQDggUzGiODPIIWDgmOOiQBMY91AQE
X-IPAS-Result: 
 A2EkAADLfJtchyWd50NjHAEBAQQBAQcEAQGBUwUBAQsBgWaCAxInjQmlDoF7DQEBhGyFUzYHDQEBAwEBCQEDAgEBAhABAQEKCwkIKS+COiKCchYMCVKBPxIigjVLgXadYD0Cb4EBiQcBAQGBazOFRoRogS8BhmmGHz+BEYJkbIolA4ogmwsHAoJLBJBsDBqUCwGIMYJ7kzoCBAIEBQIVgVQDggUzGiODPIIWDgmOOiQBMY91AQE
Received: from mx0b-00154901.pphosted.com (HELO mx0a-00154901.pphosted.com)
 ([67.231.157.37])
  by esa7.dell-outbound.iphmx.com with ESMTP/TLS/AES256-SHA256;
 27 Mar 2019 08:43:55 -0500
Received: from pps.filterd (m0089484.ppops.net [127.0.0.1])
        by mx0b-00154901.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
 x2RDhYEJ085194
        for <linux-rdma@vger.kernel.org>; Wed, 27 Mar 2019 09:44:00 -0400
Received: from esa5.dell-outbound2.iphmx.com (esa5.dell-outbound2.iphmx.com
 [68.232.153.203])
        by mx0b-00154901.pphosted.com with ESMTP id 2rg7r00w9x-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=FAIL)
        for <linux-rdma@vger.kernel.org>; Wed, 27 Mar 2019 09:44:00 -0400
Received: from mailuogwdur.emc.com ([128.221.224.79])
  by esa5.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA256;
 27 Mar 2019 19:43:55 +0600
Received: from emc.com (localhost [127.0.0.1])
        by mailuogwprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0)
 with ESMTP id x2RDhueM008641;
        Wed, 27 Mar 2019 09:43:56 -0400
Received: from maildlpprd53.lss.emc.com ([maildlpprd53.lss.emc.com
 [10.106.48.157]]) by mailuogwprd54.lss.emc.com with ESMTP id x2RDhIZ0008365 ;
          Wed, 27 Mar 2019 09:43:21 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd54.lss.emc.com x2RDhIZ0008365
Received: from mailapphubprd02.lss.emc.com (emcmail.lss.emc.com
 [10.253.24.52]) by maildlpprd53.lss.emc.com (RSA Interceptor);
 Wed, 27 Mar 2019 09:43:06 -0400
Received: from hopcyc-boyera-1-00.cec.lab.emc.com
 (hopcyc-boyera-1-00.cec.lab.emc.com [10.244.196.91])
        by mailapphubprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0)
 with ESMTP id x2RDh7aT009588;
        Wed, 27 Mar 2019 09:43:07 -0400
From: Andrew Boyer <andrew.boyer@dell.com>
To: shiraz.saleem@intel.com, linux-rdma@vger.kernel.org,
        aboyer@tobark.org
Cc: Andrew Boyer <andrew.boyer@dell.com>
Subject: [PATCH] rdma/i40iw: Add a reference when accepting a connection to
 avoid panic
Date: Wed, 27 Mar 2019 09:42:54 -0400
Message-Id: <20190327134254.1740-1-andrew.boyer@dell.com>
X-Mailer: git-send-email 2.16.2
X-RSA-Classifications: public
X-Sentrion-Hostname: mailuogwprd54.lss.emc.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
 definitions=2019-03-27_09:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1810050000 definitions=main-1903270097
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When a CONNECT_REQUEST is received on the listening side, a
new cm_node is created. A pointer to the cm_node is put into an iw_cm
event message, which is put on a workqueue and then sent to i40iw_accept().

The driver needs to add a reference to go with the iw_cm event so that the
cm_node cannot be destroyed before the workqueue item is processed.

Note that i40iw_accept() already releases a reference in two error paths;
these appear to be incorrect since there was no associated reference taken.

Backtrace:
[436732.936866] general protection fault: 0000 [#1] SMP NOPTI
[436732.937891] Modules linked in: ...
[436732.966395] CPU: 0 PID: 14062 Comm: CMIB Tainted: P           OE   4.14.19-coreos-r9999.1533000047-442 #1
[436732.970042] task: ffff8bd589113c80 task.stack: ffff99c047710000
[436732.971123] RIP: 0010:i40iw_accept+0x2d0/0x4c0 [i40iw]
[436732.972065] RSP: 0018:ffff99c047713b28 EFLAGS: 00010046
[436732.973022] RAX: 0000000000000296 RBX: ffff8bcf356a1800 RCX: ffff8bcf356a34c0
[436732.974314] RDX: dead000000000200 RSI: ffff8bd53818b1c0 RDI: dead000000000100
[436732.975607] RBP: ffff99c047713c68 R08: 0000000000000000 R09: ffff8bd53818dc40
[436732.976902] R10: ffff99c047713a08 R11: 0000000000000004 R12: ffff8bd538188018
[436732.978192] R13: ffff8bd53818b220 R14: ffff8bd648826800 R15: ffff8bcf356a3400
[436732.979480] FS:  00007fc6ceba2700(0000) GS:ffff8bd674400000(0000) knlGS:0000000000000000
[436732.980937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[436732.981983] CR2: 00007faa0ea26270 CR3: 00000016fa6ce003 CR4: 00000000003606f0
[436732.983312] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[436732.984602] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[436732.985893] Call Trace:
[436732.986368]  iw_cm_accept+0x8d/0x550 [iw_cm]
[436732.987159]  rdma_accept+0x1e8/0x260 [rdma_cm]
[436732.987982]  0xffffffffc0ad1141
[436732.988574]  0xffffffffc0ad14cd
[436732.989168]  __vfs_write+0x33/0x150
[436732.989824]  ? __inode_security_revalidate+0x4a/0x70
[436732.990734]  ? selinux_file_permission+0xdd/0x130
[436732.991600]  ? security_file_permission+0x36/0xb0
[436732.992466]  vfs_write+0xb3/0x1a0
[436732.993088]  SyS_write+0x52/0xc0
[436732.993698]  do_syscall_64+0x66/0x1d0
[436732.994384]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[436732.995311] RIP: 0033:0x7fc79f7676ad
[436732.995981] RSP: 002b:00007fc76d371040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[436732.997355] RAX: ffffffffffffffda RBX: 0000000028c80950 RCX: 00007fc79f7676ad
[436732.998646] RDX: 0000000000000128 RSI: 00007fc76d371050 RDI: 000000000000005c
[436732.999934] RBP: 00007fc76d371050 R08: 0000000000000000 R09: 0000000028cc2400
[436733.001221] R10: 0000000000000009 R11: 0000000000000293 R12: 00007fc76d3711d0
[436733.002508] R13: 0000000028c80950 R14: 0000000028cc0950 R15: 000000002796b010
[436733.003798] Code: ...
[436733.007166] RIP: i40iw_accept+0x2d0/0x4c0 [i40iw] RSP: ffff99c047713b28

Fixes: f27b4746f378e ("i40iw: add connection management code"
Signed-off-by: Andrew Boyer <andrew.boyer@dell.com>
---
 drivers/infiniband/hw/i40iw/i40iw_cm.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 206cfb0016f8..28e92a68c178 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -272,6 +272,9 @@ static int i40iw_send_cm_event(struct i40iw_cm_node *cm_node,
 		event.private_data = (void *)cm_node->pdata_buf;
 		event.private_data_len = (u8)cm_node->pdata.size;
 		event.ird = cm_node->ird_size;
+
+		/* Take a reference to go with the iw_cm event */
+		atomic_inc(&cm_node->ref_count);
 		break;
 	case IW_CM_EVENT_CONNECT_REPLY:
 		i40iw_get_cmevent_info(cm_node, cm_id, &event);
@@ -3642,15 +3645,19 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
 	unsigned long flags;
 
 	memset(&attr, 0, sizeof(attr));
+
+	cm_node = (struct i40iw_cm_node *)cm_id->provider_data;
+
 	ibqp = i40iw_get_qp(cm_id->device, conn_param->qpn);
-	if (!ibqp)
+	if (!ibqp) {
+		i40iw_rem_ref_cm_node(cm_node);
 		return -EINVAL;
+	}
 
 	iwqp = to_iwqp(ibqp);
 	iwdev = iwqp->iwdev;
 	dev = &iwdev->sc_dev;
 	cm_core = &iwdev->cm_core;
-	cm_node = (struct i40iw_cm_node *)cm_id->provider_data;
 
 	if (((struct sockaddr_in *)&cm_id->local_addr)->sin_family == AF_INET) {
 		cm_node->ipv4 = true;
@@ -3683,9 +3690,11 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
 	buf_len = conn_param->private_data_len + I40IW_MAX_IETF_SIZE;
 
 	status = i40iw_allocate_dma_mem(dev->hw, &iwqp->ietf_mem, buf_len, 1);
-
-	if (status)
+	if (status) {
+		i40iw_rem_ref_cm_node(cm_node);
 		return -ENOMEM;
+	}
+
 	cm_node->pdata.size = conn_param->private_data_len;
 	accept.addr = iwqp->ietf_mem.va;
 	accept.size = i40iw_cm_build_mpa_frame(cm_node, &accept, MPA_KEY_REPLY);
@@ -3706,6 +3715,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
 					 &tagged_offset);
 		if (IS_ERR(ibmr)) {
 			i40iw_free_dma_mem(dev->hw, &iwqp->ietf_mem);
+			i40iw_rem_ref_cm_node(cm_node);
 			return -ENOMEM;
 		}
 
@@ -3767,6 +3777,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
 		atomic_dec(&cm_node->listener->pend_accepts_cnt);
 		cm_node->accept_pend = 0;
 	}
+	i40iw_rem_ref_cm_node(cm_node);
 	return 0;
 }