[15/31] rdma/siw: create a temporary copy of private data

Message ID	a382dd6f7560b1a311484c656216fcdb9de56ff6.1620343860.git.metze@samba.org (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <linux-rdma-owner@kernel.org> From: Stefan Metzmacher <metze@samba.org> To: Bernard Metzler <bmt@zurich.ibm.com> Cc: linux-rdma@vger.kernel.org, Stefan Metzmacher <metze@samba.org> Subject: [PATCH 15/31] rdma/siw: create a temporary copy of private data Date: Fri, 7 May 2021 01:36:21 +0200 Message-Id: <a382dd6f7560b1a311484c656216fcdb9de56ff6.1620343860.git.metze@samba.org> In-Reply-To: <cover.1620343860.git.metze@samba.org> References: <cover.1620343860.git.metze@samba.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	rdma/siw: fix a lot of deadlocks and use after free bugs \| expand [00/31] rdma/siw: fix a lot of deadlocks and use after free bugs [01/31] rdma/siw: fix warning in siw_proc_send() [02/31] rdma/siw: call smp_mb() after mem->stag_valid = 0 in siw_invalidate_stag() too [03/31] rdma/siw: remove superfluous siw_cep_put() from siw_connect() error path [04/31] rdma/siw: let siw_accept() deferr RDMA_MODE until EVENT_ESTABLISHED [05/31] rdma/siw: make use of kernel_{bind,connect,listen}() [06/31] rdma/siw: make siw_cm_upcall() a noop without valid 'id' [07/31] rdma/siw: split out a __siw_cep_terminate_upcall() function [08/31] rdma/siw: use __siw_cep_terminate_upcall() for indirect SIW_CM_WORK_CLOSE_LLP [09/31] rdma/siw: use __siw_cep_terminate_upcall() for SIW_CM_WORK_PEER_CLOSE [10/31] rdma/siw: use __siw_cep_terminate_upcall() for SIW_CM_WORK_MPATIMEOUT [11/31] rdma/siw: introduce SIW_EPSTATE_ACCEPTING/REJECTING for rdma_accept/rdma_reject [12/31] rdma/siw: add some debugging of state and sk_state to the teardown process [13/31] rdma/siw: handle SIW_EPSTATE_CONNECTING in __siw_cep_terminate_upcall() [14/31] rdma/siw: let siw_connect() set AWAIT_MPAREP before siw_send_mpareqrep() [15/31] rdma/siw: create a temporary copy of private data [16/31] rdma/siw: use error and out logic at the end of siw_connect() [17/31] rdma/siw: start mpa timer before calling siw_send_mpareqrep() [18/31] rdma/siw: call the blocking kernel_bindconnect() just before siw_send_mpareqrep() [19/31] rdma/siw: split out a __siw_cep_close() function [20/31] rdma/siw: implement non-blocking connect. [21/31] rdma/siw: let siw_listen_address() call siw_cep_alloc() first [22/31] rdma/siw: let siw_listen_address() call siw_cep_set_inuse() early [23/31] rdma/siw: make use of __siw_cep_close() in siw_accept() [24/31] rdma/siw: do the full disassociation of cep and qp in siw_qp_llp_close() [25/31] rdma/siw: fix double siw_cep_put() in siw_cm_work_handler() [26/31] rdma/siw: make use of __siw_cep_close() in siw_cm_work_handler() [27/31] rdma/siw: fix the "close" logic in siw_qp_cm_drop() [28/31] rdma/siw: make use of __siw_cep_close() in siw_qp_cm_drop() [29/31] rdma/siw: make use of __siw_cep_close() in siw_reject() [30/31] rdma/siw: make use of __siw_cep_close() in siw_listen_address() [31/31] rdma/siw: make use of __siw_cep_close() in siw_drop_listeners()

Message ID

a382dd6f7560b1a311484c656216fcdb9de56ff6.1620343860.git.metze@samba.org (mailing list archive)

State

Changes Requested

Headers

From: Stefan Metzmacher <metze@samba.org>
To: Bernard Metzler <bmt@zurich.ibm.com>
Cc: linux-rdma@vger.kernel.org, Stefan Metzmacher <metze@samba.org>
Subject: [PATCH 15/31] rdma/siw: create a temporary copy of private data
Date: Fri,  7 May 2021 01:36:21 +0200
Message-Id: 
 <a382dd6f7560b1a311484c656216fcdb9de56ff6.1620343860.git.metze@samba.org>
In-Reply-To: <cover.1620343860.git.metze@samba.org>
References: <cover.1620343860.git.metze@samba.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

rdma/siw: fix a lot of deadlocks and use after free bugs | expand

Commit Message

Stefan Metzmacher May 6, 2021, 11:36 p.m. UTC

The final patch will implement a non-blocking connect,
which means that siw_connect() will be split into
siw_connect() and siw_connected().

kernel_bindconnect() will be the last action
in siw_connect(), while the MPA negotiation
is deferred to siw_connected().

We should not rely on the callers private data
pointers to be still valid when siw_connected()
is called, so we better create a copy.

Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Cc: Bernard Metzler <bmt@zurich.ibm.com>
Cc: linux-rdma@vger.kernel.org
---
 drivers/infiniband/sw/siw/siw_cm.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

Comments

Bernard Metzler May 11, 2021, 12:15 p.m. UTC | #1

-----"Stefan Metzmacher" <metze@samba.org> wrote: -----

>To: "Bernard Metzler" <bmt@zurich.ibm.com>
>From: "Stefan Metzmacher" <metze@samba.org>
>Date: 05/07/2021 01:38AM
>Cc: linux-rdma@vger.kernel.org, "Stefan Metzmacher" <metze@samba.org>
>Subject: [EXTERNAL] [PATCH 15/31] rdma/siw: create a temporary copy
>of private data
>
>The final patch will implement a non-blocking connect,
>which means that siw_connect() will be split into
>siw_connect() and siw_connected().
>
>kernel_bindconnect() will be the last action
>in siw_connect(), while the MPA negotiation
>is deferred to siw_connected().
>

While it adds complexity, I really like the non-blocking
connect(). It would be much easier to review if a single
patch would introduce that on top of the previous work.

>We should not rely on the callers private data
>pointers to be still valid when siw_connected()
>is called, so we better create a copy.
>
>Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Cc: Bernard Metzler <bmt@zurich.ibm.com>
>Cc: linux-rdma@vger.kernel.org
>---
> drivers/infiniband/sw/siw/siw_cm.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/infiniband/sw/siw/siw_cm.c
>b/drivers/infiniband/sw/siw/siw_cm.c
>index 027bc18cb801..41d3436985a6 100644
>--- a/drivers/infiniband/sw/siw/siw_cm.c
>+++ b/drivers/infiniband/sw/siw/siw_cm.c
>@@ -1519,13 +1519,25 @@ int siw_connect(struct iw_cm_id *id, struct
>iw_cm_conn_param *params)
> 	}
> 	memcpy(cep->mpa.hdr.key, MPA_KEY_REQ, 16);
> 
>+	cep->mpa.pdata = kmemdup(params->private_data, pd_len, GFP_KERNEL);
>+	if (IS_ERR_OR_NULL(cep->mpa.pdata)) {
>+		rv = -ENOMEM;
>+		goto error;
>+	}
>+	cep->mpa.hdr.params.pd_len = pd_len;
>+
> 	cep->state = SIW_EPSTATE_AWAIT_MPAREP;
> 
>-	rv = siw_send_mpareqrep(cep, params->private_data, pd_len);
>+	rv = siw_send_mpareqrep(cep, cep->mpa.pdata,
>+				cep->mpa.hdr.params.pd_len);
> 	/*
> 	 * Reset private data.
> 	 */
>-	cep->mpa.hdr.params.pd_len = 0;
>+	if (cep->mpa.hdr.params.pd_len) {
>+		cep->mpa.hdr.params.pd_len = 0;
>+		kfree(cep->mpa.pdata);
>+		cep->mpa.pdata = NULL;
>+	}
> 
> 	if (rv >= 0) {
> 		rv = siw_cm_queue_work(cep, SIW_CM_WORK_MPATIMEOUT);
>-- 
>2.25.1
>
>

diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c
index 027bc18cb801..41d3436985a6 100644
--- a/drivers/infiniband/sw/siw/siw_cm.c
+++ b/drivers/infiniband/sw/siw/siw_cm.c
@@ -1519,13 +1519,25 @@  int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params)
 	}
 	memcpy(cep->mpa.hdr.key, MPA_KEY_REQ, 16);
 
+	cep->mpa.pdata = kmemdup(params->private_data, pd_len, GFP_KERNEL);
+	if (IS_ERR_OR_NULL(cep->mpa.pdata)) {
+		rv = -ENOMEM;
+		goto error;
+	}
+	cep->mpa.hdr.params.pd_len = pd_len;
+
 	cep->state = SIW_EPSTATE_AWAIT_MPAREP;
 
-	rv = siw_send_mpareqrep(cep, params->private_data, pd_len);
+	rv = siw_send_mpareqrep(cep, cep->mpa.pdata,
+				cep->mpa.hdr.params.pd_len);
 	/*
 	 * Reset private data.
 	 */
-	cep->mpa.hdr.params.pd_len = 0;
+	if (cep->mpa.hdr.params.pd_len) {
+		cep->mpa.hdr.params.pd_len = 0;
+		kfree(cep->mpa.pdata);
+		cep->mpa.pdata = NULL;
+	}
 
 	if (rv >= 0) {
 		rv = siw_cm_queue_work(cep, SIW_CM_WORK_MPATIMEOUT);

[15/31] rdma/siw: create a temporary copy of private data

Commit Message

Comments

Patch