Patch "RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 26 May 2024 13:19:39 -0400

This is a note to let you know that I've just added the patch titled

    RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-rxe-fix-seg-fault-in-rxe_comp_queue_pkt.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d3a53bbf0b7dd944c1a848a7f764e577bf1d2ce0
Author: Bob Pearson <rpearsonhpe@xxxxxxxxx>
Date:   Fri Mar 29 09:55:04 2024 -0500

    RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt
    
    [ Upstream commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6 ]
    
    In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the
    resp_pkts queue and then a decision is made whether to run the completer
    task inline or schedule it. Finally the skb is dereferenced to bump a 'hw'
    performance counter. This is wrong because if the completer task is
    already running in a separate thread it may have already processed the skb
    and freed it which can cause a seg fault.  This has been observed
    infrequently in testing at high scale.
    
    This patch fixes this by changing the order of enqueuing the packet until
    after the counter is accessed.
    
    Link: https://lore.kernel.org/r/20240329145513.35381-4-rpearsonhpe@xxxxxxxxx
    Signed-off-by: Bob Pearson <rpearsonhpe@xxxxxxxxx>
    Fixes: 0b1e5b99a48b ("IB/rxe: Add port protocol stats")
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c
index b78b8c0856abd..c997b7cbf2a9e 100644
--- a/drivers/infiniband/sw/rxe/rxe_comp.c
+++ b/drivers/infiniband/sw/rxe/rxe_comp.c
@@ -131,12 +131,12 @@ void rxe_comp_queue_pkt(struct rxe_qp *qp, struct sk_buff *skb)
 {
 	int must_sched;
 
-	skb_queue_tail(&qp->resp_pkts, skb);
-
-	must_sched = skb_queue_len(&qp->resp_pkts) > 1;
+	must_sched = skb_queue_len(&qp->resp_pkts) > 0;
 	if (must_sched != 0)
 		rxe_counter_inc(SKB_TO_PKT(skb)->rxe, RXE_CNT_COMPLETER_SCHED);
 
+	skb_queue_tail(&qp->resp_pkts, skb);
+
 	if (must_sched)
 		rxe_sched_task(&qp->comp.task);
 	else







