tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue

rxe_post_send_kernel() iterates over linked list of wr's, until the
wr->next ptr is NULL. However if we've got an interrupt after last wr is
posted, control may be returned to the code after send completion callback
is executed and wr memory is freed.

As a result, wr->next pointer may contain incorrect value leading to
panic. Store the wr->next on the stack before posting it.

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/20200716190340.23453-1-m.malygin@yadro.com
Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

authored by

Mikhail Malygin and committed by
Jason Gunthorpe 5f0b2a60 eb7f84e3

+4 -1
+4 -1
drivers/infiniband/sw/rxe/rxe_verbs.c
··· 682 682 unsigned int mask; 683 683 unsigned int length = 0; 684 684 int i; 685 + struct ib_send_wr *next; 685 686 686 687 while (wr) { 687 688 mask = wr_opcode_mask(wr->opcode, qp); ··· 699 698 break; 700 699 } 701 700 701 + next = wr->next; 702 + 702 703 length = 0; 703 704 for (i = 0; i < wr->num_sge; i++) 704 705 length += wr->sg_list[i].length; ··· 711 708 *bad_wr = wr; 712 709 break; 713 710 } 714 - wr = wr->next; 711 + wr = next; 715 712 } 716 713 717 714 rxe_run_task(&qp->req.task, 1);