From: Bart Van Assche <bart.vanassche@wdc.com>
Date: Tue, 16 Jan 2018 16:14:06 -0800
Subject: IB/srpt: Rework srpt_disconnect_ch_sync()
Patch-mainline: v4.16-rc1
Git-commit: 4413834452a65dd322aeeb8da3b4da58b3daa73b
References: bsc#1103992 FATE#326009
This patch fixes a use-after-free issue for ch->release_done when
running the SRP protocol on top of the rdma_rxe driver.
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 45 +++++++++++++++++-----------------
drivers/infiniband/ulp/srpt/ib_srpt.h | 2 -
2 files changed, 23 insertions(+), 24 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1841,6 +1841,23 @@ static int srpt_disconnect_ch(struct srp
return ret;
}
+static bool srpt_ch_closed(struct srpt_device *sdev, struct srpt_rdma_ch *ch)
+{
+ struct srpt_rdma_ch *ch2;
+ bool res = true;
+
+ rcu_read_lock();
+ list_for_each_entry(ch2, &sdev->rch_list, list) {
+ if (ch2 == ch) {
+ res = false;
+ break;
+ }
+ }
+ rcu_read_unlock();
+
+ return res;
+}
+
/*
* Send DREQ and wait for DREP. Return true if and only if this function
* changed the state of @ch.
@@ -1848,31 +1865,24 @@ static int srpt_disconnect_ch(struct srp
static bool srpt_disconnect_ch_sync(struct srpt_rdma_ch *ch)
__must_hold(&sdev->mutex)
{
- DECLARE_COMPLETION_ONSTACK(release_done);
struct srpt_device *sdev = ch->sport->sdev;
- bool wait;
+ int ret;
lockdep_assert_held(&sdev->mutex);
pr_debug("ch %s-%d state %d\n", ch->sess_name, ch->qp->qp_num,
ch->state);
- WARN_ON(ch->release_done);
- ch->release_done = &release_done;
- wait = !list_empty(&ch->list);
- srpt_disconnect_ch(ch);
+ ret = srpt_disconnect_ch(ch);
mutex_unlock(&sdev->mutex);
- if (!wait)
- goto out;
-
- while (wait_for_completion_timeout(&release_done, 180 * HZ) == 0)
+ while (wait_event_timeout(sdev->ch_releaseQ, srpt_ch_closed(sdev, ch),
+ 5 * HZ) == 0)
pr_info("%s(%s-%d state %d): still waiting ...\n", __func__,
ch->sess_name, ch->qp->qp_num, ch->state);
-out:
mutex_lock(&sdev->mutex);
- return wait;
+ return ret == 0;
}
static void srpt_set_enabled(struct srpt_port *sport, bool enabled)
@@ -1916,8 +1926,7 @@ static void srpt_release_channel_work(st
struct se_session *se_sess;
ch = container_of(w, struct srpt_rdma_ch, release_work);
- pr_debug("%s: %s-%d; release_done = %p\n", __func__, ch->sess_name,
- ch->qp->qp_num, ch->release_done);
+ pr_debug("%s-%d\n", ch->sess_name, ch->qp->qp_num);
sdev = ch->sport->sdev;
BUG_ON(!sdev);
@@ -1946,14 +1955,6 @@ static void srpt_release_channel_work(st
mutex_lock(&sdev->mutex);
list_del_rcu(&ch->list);
- if (ch->release_done)
- complete(ch->release_done);
- mutex_unlock(&sdev->mutex);
-
- synchronize_rcu();
-
- mutex_lock(&sdev->mutex);
- INIT_LIST_HEAD(&ch->list);
mutex_unlock(&sdev->mutex);
wake_up(&sdev->ch_releaseQ);
--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
@@ -270,7 +270,6 @@ enum rdma_ch_state {
* @sess_name: Session name.
* @ini_guid: Initiator port GUID.
* @release_work: Allows scheduling of srpt_release_channel().
- * @release_done: Enables waiting for srpt_release_channel() completion.
*/
struct srpt_rdma_ch {
struct ib_cm_id *cm_id;
@@ -299,7 +298,6 @@ struct srpt_rdma_ch {
u8 sess_name[36];
u8 ini_guid[24];
struct work_struct release_work;
- struct completion *release_done;
};
/**