Unverified Commit a817551c authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!6879 net/smc: Fix possible access to freed memory in link clear 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/T3B2TECNQUDDGG523TMMIINX6PYBDWM3/ 
 
https://gitee.com/src-openeuler/kernel/issues/I9LK4T 
 
Link:https://gitee.com/openeuler/kernel/pulls/6879

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 54216dd6 ff74243f

net/smc/smc_core.c

+1 −0
Original line number Diff line number Diff line
@@ -703,6 +703,7 @@ int smcr_link_init(struct smc_link_group *lgr, struct smc_link *lnk, 
	lnk->lgr = lgr;

	smc_lgr_hold(lgr); /* lgr_put in smcr_link_clear() */

	lnk->link_idx = link_idx;

	lnk->wr_rx_id_compl = 0;

	lnk->smcibdev = ini->ib_dev;

	lnk->ibport = ini->ib_port;

	smc_ibdev_cnt_inc(lnk);

net/smc/smc_core.h

+2 −0
Original line number Diff line number Diff line
@@ -105,8 +105,10 @@ struct smc_link { 
	/* above three vectors have wr_rx_cnt elements and use the same index */

	dma_addr_t		wr_rx_dma_addr;	/* DMA address of wr_rx_bufs */

	u64			wr_rx_id;	/* seq # of last recv WR */

	u64			wr_rx_id_compl;	/* seq # of last completed WR */

	u32			wr_rx_cnt;	/* number of WR recv buffers */

	unsigned long		wr_rx_tstamp;	/* jiffies when last buf rx */

	wait_queue_head_t	wr_rx_empty_wait; /* wait for RQ empty */



	struct ib_reg_wr	wr_reg;		/* WR register memory region */

	wait_queue_head_t	wr_reg_wait;	/* wait for wr_reg result */

net/smc/smc_wr.c

+5 −0
Original line number Diff line number Diff line
@@ -388,6 +388,7 @@ static inline void smc_wr_rx_process_cqes(struct ib_wc wc[], int num) 


	for (i = 0; i < num; i++) {

		link = wc[i].qp->qp_context;

		link->wr_rx_id_compl = wc[i].wr_id;

		if (wc[i].status == IB_WC_SUCCESS) {

			link->wr_rx_tstamp = jiffies;

			smc_wr_rx_demultiplex(&wc[i]);
@@ -399,6 +400,8 @@ static inline void smc_wr_rx_process_cqes(struct ib_wc wc[], int num) 
			case IB_WC_RNR_RETRY_EXC_ERR:

			case IB_WC_WR_FLUSH_ERR:

				smcr_link_down_cond_sched(link);

				if (link->wr_rx_id_compl == link->wr_rx_id)

					wake_up(&link->wr_rx_empty_wait);

				break;

			default:

				smc_wr_rx_post(link); /* refill WR RX */
@@ -542,6 +545,7 @@ void smc_wr_free_link(struct smc_link *lnk) 
		return;

	ibdev = lnk->smcibdev->ibdev;



	smc_wr_drain_cq(lnk);

	smc_wr_wakeup_reg_wait(lnk);

	smc_wr_wakeup_tx_wait(lnk);
@@ -711,6 +715,7 @@ int smc_wr_create_link(struct smc_link *lnk) 
	atomic_set(&lnk->wr_tx_refcnt, 0);

	init_waitqueue_head(&lnk->wr_reg_wait);

	atomic_set(&lnk->wr_reg_refcnt, 0);

	init_waitqueue_head(&lnk->wr_rx_empty_wait);

	return rc;



dma_unmap:

net/smc/smc_wr.h

+5 −0
Original line number Diff line number Diff line
@@ -73,6 +73,11 @@ static inline void smc_wr_tx_link_put(struct smc_link *link) 
		wake_up_all(&link->wr_tx_wait);

}



static inline void smc_wr_drain_cq(struct smc_link *lnk)

{

	wait_event(lnk->wr_rx_empty_wait, lnk->wr_rx_id_compl == lnk->wr_rx_id);

}



static inline void smc_wr_wakeup_tx_wait(struct smc_link *lnk)

{

	wake_up_all(&lnk->wr_tx_wait);