Re: [PATCH] RDMA/cma: prevent rdma id destroy during cma_iw_handler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the comments.

On Jun 11, 2023 / 16:37, Leon Romanovsky wrote:
> On Sat, Jun 03, 2023 at 09:46:20AM +0900, Shin'ichiro Kawasaki wrote:
> > When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private
> > *id_priv can be destroyed during cma_iw_handler call. This causes "BUG:
> > KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler().
> > To prevent the destroy of id_priv, keep its reference count by calling
> > cma_id_get() and cma_id_put() at start and end of cma_iw_handler().
> 
> Please add relevant kernel panic to commit message.

Sure, will do in v2.

> 
> > 
> > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
> 
> Add Fixes line when you are fixing bug.

I see. I checked commit logs of drivers/infinibad/core/cma.c. It looks the issue
has been existing since the commit de910bd92137 ("RDMA/cma: Simplify locking
needed for serialization of callbacks") in 2008, which modified the method to
guard id_priv. I'll add the Fixes tag with this commit.

> 
> > ---
> > The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031,
> > using SIW transport [1]. To reproduce it, it is required to repeat the test
> > cases from 30 to 50 times on my test system.
> > 
> > [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/
> > 
> >  drivers/infiniband/core/cma.c | 3 +++
> >  1 file changed, 3 insertions(+)
> 
> The fix looks correct to me.
> 
> Thanks



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux