| Message ID | 20230523054739.594384-1-yanjun.zhu@intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/1] RDMA/rxe: Fix the use-before-initialization error of resp_pkts | expand |
On Tue, May 23, 2023 at 01:47:39PM +0800, Zhu Yanjun wrote: > From: Zhu Yanjun <yanjun.zhu@linux.dev> > > In the following: > " > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 > assign_lock_key kernel/locking/lockdep.c:982 [inline] > register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295 > __lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951 > lock_acquire kernel/locking/lockdep.c:5691 [inline] > lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] > _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 > skb_dequeue+0x20/0x180 net/core/skbuff.c:3639 > drain_resp_pkts drivers/infiniband/sw/rxe/rxe_comp.c:555 [inline] > rxe_completer+0x250d/0x3cc0 drivers/infiniband/sw/rxe/rxe_comp.c:652 > rxe_qp_do_cleanup+0x1be/0x820 drivers/infiniband/sw/rxe/rxe_qp.c:761 > execute_in_process_context+0x3b/0x150 kernel/workqueue.c:3473 > __rxe_cleanup+0x21e/0x370 drivers/infiniband/sw/rxe/rxe_pool.c:233 > rxe_create_qp+0x3f6/0x5f0 drivers/infiniband/sw/rxe/rxe_verbs.c:583 > ... > " > This is a use-before-initialization problem. > > In the following function > " > 291 /* called by the create qp verb */ > 292 int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, > struct rxe_pd *pd, > 297 { > ... > 317 rxe_qp_init_misc(rxe, qp, init); > ... > 322 > 323 err = rxe_qp_init_resp(rxe, qp, init, udata, uresp); > 324 if (err) > 325 goto err2; <--- error > > ... > > 334 err2: > 335 rxe_queue_cleanup(qp->sq.queue); <--- Goto here > 336 qp->sq.queue = NULL; > " > In rxe_qp_init_resp, the error occurs before skb_queue_head_init. > So this call trace appeared. > > Reported-by: syzbot+eba589d8f49c73d356da@syzkaller.appspotmail.com > Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> This needs a fixes line and a link line to the syzkaller report email Jason
在 2023/6/1 23:58, Jason Gunthorpe 写道: > On Tue, May 23, 2023 at 01:47:39PM +0800, Zhu Yanjun wrote: >> From: Zhu Yanjun <yanjun.zhu@linux.dev> >> >> In the following: >> " >> Call Trace: >> <TASK> >> __dump_stack lib/dump_stack.c:88 [inline] >> dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 >> assign_lock_key kernel/locking/lockdep.c:982 [inline] >> register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295 >> __lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951 >> lock_acquire kernel/locking/lockdep.c:5691 [inline] >> lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656 >> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] >> _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 >> skb_dequeue+0x20/0x180 net/core/skbuff.c:3639 >> drain_resp_pkts drivers/infiniband/sw/rxe/rxe_comp.c:555 [inline] >> rxe_completer+0x250d/0x3cc0 drivers/infiniband/sw/rxe/rxe_comp.c:652 >> rxe_qp_do_cleanup+0x1be/0x820 drivers/infiniband/sw/rxe/rxe_qp.c:761 >> execute_in_process_context+0x3b/0x150 kernel/workqueue.c:3473 >> __rxe_cleanup+0x21e/0x370 drivers/infiniband/sw/rxe/rxe_pool.c:233 >> rxe_create_qp+0x3f6/0x5f0 drivers/infiniband/sw/rxe/rxe_verbs.c:583 >> ... >> " >> This is a use-before-initialization problem. >> >> In the following function >> " >> 291 /* called by the create qp verb */ >> 292 int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, >> struct rxe_pd *pd, >> 297 { >> ... >> 317 rxe_qp_init_misc(rxe, qp, init); >> ... >> 322 >> 323 err = rxe_qp_init_resp(rxe, qp, init, udata, uresp); >> 324 if (err) >> 325 goto err2; <--- error >> >> ... >> >> 334 err2: >> 335 rxe_queue_cleanup(qp->sq.queue); <--- Goto here >> 336 qp->sq.queue = NULL; >> " >> In rxe_qp_init_resp, the error occurs before skb_queue_head_init. >> So this call trace appeared. >> >> Reported-by: syzbot+eba589d8f49c73d356da@syzkaller.appspotmail.com >> Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> > This needs a fixes line and a link line to the syzkaller report email Got it. I will fix it ASAP. Zhu Yanjun > > Jason
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index c5451a4488ca..22ef6188d7b1 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -176,6 +176,9 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, spin_lock_init(&qp->rq.producer_lock); spin_lock_init(&qp->rq.consumer_lock); + skb_queue_head_init(&qp->req_pkts); + skb_queue_head_init(&qp->resp_pkts); + atomic_set(&qp->ssn, 0); atomic_set(&qp->skb_out, 0); } @@ -234,8 +237,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, qp->req.opcode = -1; qp->comp.opcode = -1; - skb_queue_head_init(&qp->req_pkts); - rxe_init_task(&qp->req.task, qp, rxe_requester); rxe_init_task(&qp->comp.task, qp, rxe_completer); @@ -279,8 +280,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, } } - skb_queue_head_init(&qp->resp_pkts); - rxe_init_task(&qp->resp.task, qp, rxe_responder); qp->resp.opcode = OPCODE_NONE;