Patch "net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d13cace9d0d81b9bad1d6993e6acbd85dc87f82d
Author: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx>
Date:   Wed Mar 8 16:17:12 2023 +0800

    net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()
    
    [ Upstream commit 22a825c541d775c1dbe7b2402786025acad6727b ]
    
    When performing a stress test on SMC-R by rmmod mlx5_ib driver
    during the wrk/nginx test, we found that there is a probability
    of triggering a panic while terminating all link groups.
    
    This issue dues to the race between smc_smcr_terminate_all()
    and smc_buf_create().
    
                            smc_smcr_terminate_all
    
    smc_buf_create
    /* init */
    conn->sndbuf_desc = NULL;
    ...
    
                            __smc_lgr_terminate
                                    smc_conn_kill
                                            smc_close_abort
                                                    smc_cdc_get_slot_and_msg_send
    
                            __softirqentry_text_start
                                    smc_wr_tx_process_cqe
                                            smc_cdc_tx_handler
                                                    READ(conn->sndbuf_desc->len);
                                                    /* panic dues to NULL sndbuf_desc */
    
    conn->sndbuf_desc = xxx;
    
    This patch tries to fix the issue by always to check the sndbuf_desc
    before send any cdc msg, to make sure that no null pointer is
    seen during cqe processing.
    
    Fixes: 0b29ec643613 ("net/smc: immediate termination for SMCR link groups")
    Signed-off-by: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx>
    Reviewed-by: Tony Lu <tonylu@xxxxxxxxxxxxxxxxx>
    Reviewed-by: Wenjia Zhang <wenjia@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/1678263432-17329-1-git-send-email-alibuda@xxxxxxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index 53f63bfbaf5f9..89105e95b4523 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -114,6 +114,9 @@ int smc_cdc_msg_send(struct smc_connection *conn,
 	union smc_host_cursor cfed;
 	int rc;
 
+	if (unlikely(!READ_ONCE(conn->sndbuf_desc)))
+		return -ENOBUFS;
+
 	smc_cdc_add_pending_send(conn, pend);
 
 	conn->tx_cdc_seq++;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux