This is a note to let you know that I've just added the patch titled
xprtrdma: Fix trace point use-after-free race
to the 5.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xprtrdma-fix-trace-point-use-after-free-race.patch
and it can be found in the queue-5.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From bdb2ce82818577ba6e57b7d68b698b8d17329281 Mon Sep 17 00:00:00 2001
From: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date: Sun, 19 Apr 2020 20:03:05 -0400
Subject: xprtrdma: Fix trace point use-after-free race
From: Chuck Lever <chuck.lever@xxxxxxxxxx>
commit bdb2ce82818577ba6e57b7d68b698b8d17329281 upstream.
It's not safe to use resources pointed to by the @send_wr of
ib_post_send() _after_ that function returns. Those resources are
typically freed by the Send completion handler, which can run before
ib_post_send() returns.
Thus the trace points currently around ib_post_send() in the
client's RPC/RDMA transport are a hazard, even when they are
disabled. Rearrange them so that they touch the Work Request only
_before_ ib_post_send() is invoked.
Fixes: ab03eff58eb5 ("xprtrdma: Add trace points in RPC Call transmit paths")
Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
Signed-off-by: Anna Schumaker <Anna.Schumaker@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/trace/events/rpcrdma.h | 12 ++++--------
net/sunrpc/xprtrdma/verbs.c | 2 +-
2 files changed, 5 insertions(+), 9 deletions(-)
--- a/include/trace/events/rpcrdma.h
+++ b/include/trace/events/rpcrdma.h
@@ -721,11 +721,10 @@ TRACE_EVENT(xprtrdma_prepsend_failed,
TRACE_EVENT(xprtrdma_post_send,
TP_PROTO(
- const struct rpcrdma_req *req,
- int status
+ const struct rpcrdma_req *req
),
- TP_ARGS(req, status),
+ TP_ARGS(req),
TP_STRUCT__entry(
__field(const void *, req)
@@ -734,7 +733,6 @@ TRACE_EVENT(xprtrdma_post_send,
__field(unsigned int, client_id)
__field(int, num_sge)
__field(int, signaled)
- __field(int, status)
),
TP_fast_assign(
@@ -747,15 +745,13 @@ TRACE_EVENT(xprtrdma_post_send,
__entry->sc = req->rl_sendctx;
__entry->num_sge = req->rl_wr.num_sge;
__entry->signaled = req->rl_wr.send_flags & IB_SEND_SIGNALED;
- __entry->status = status;
),
- TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %sstatus=%d",
+ TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %s",
__entry->task_id, __entry->client_id,
__entry->req, __entry->sc, __entry->num_sge,
(__entry->num_sge == 1 ? "" : "s"),
- (__entry->signaled ? "signaled " : ""),
- __entry->status
+ (__entry->signaled ? "signaled" : "")
)
);
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1526,8 +1526,8 @@ rpcrdma_ep_post(struct rpcrdma_ia *ia,
--ep->rep_send_count;
}
- rc = frwr_send(ia, req);
trace_xprtrdma_post_send(req, rc);
+ rc = frwr_send(ia, req);
if (rc)
return -ENOTCONN;
return 0;
Patches currently in stable-queue which might be from chuck.lever@xxxxxxxxxx are
queue-5.6/xprtrdma-fix-trace-point-use-after-free-race.patch
