From: wenglianfa <wenglianfa@huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICEQ4V ---------------------------------------------------------------------- rsv_qp will be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Here fix it. [23776.119039] list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) [23776.128188] WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 [23776.137975] Modules linked in: hns_roce_hw_v2(E) kp_ktools(OE) hns3_cae(OE) hns3(E) hclge(E) hnae3(E) vxlan ip6_udp_tunnel udp_tunnel xt_CHECKSUM ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle nf_tables ip6table_filter ip6_tables tun vfio_iommu_type1(E) vfio_pci(E) vfio_virqfd(E) vfio(E) realtek ixgbe xt_MASQUERADE nf_conntrack_netlink iptable_nat xt_addrtype iptable_filter ip_tables xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge overlay vfat fat ipmi_ssif ses enclosure arm_spe_pmu arm_smmuv3_pmu hibmc_drm drm_vram_helper sg drm_ttm_helper acpi_ipmi ttm ipmi_si ipmi_devintf ipmi_msghandler hisi_uncore_hha_pmu uio_pdrv_genirq uio hisi_uncore_ddrc_pmu hisi_uncore_l3c_pmu hisi_uncore_pmu sch_fq_codel fuse hisi_sas_v3_hw hisi_sas_main ghash_ce libsas ahci sha2_ce xhci_pci scsi_transport_sas libahci hisi_qm sha256_arm64 hisi_dma sha1_ce sbsa_gwdt xhci_hcd virt_dma uacce megaraid_sas host_edma_drv libata mdio [23776.138107] i2c_designware_platform [23776.143902] hns3 0000:7d:00.0: prepare wait ok [23776.224538] gpio_dwapb i2c_designware_core hisi_trng_v2 gpio_generic rpcrdma sunrpc ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_ipoib aes_ce_blk crypto_simd cryptd aes_ce_cipher [last unloaded: hns_roce_hw_v2] [23776.224573] CPU: 8 PID: 1047115 Comm: kworker/u193:3 Kdump: loaded Tainted: G OE 5.10.0 #1 [23776.224576] Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V5.B221.01 12/09/2021 [23776.224669] Workqueue: hclge hclge_service_task [hclge] [23776.229136] hns3 0000:7d:00.0: In reset process RoCE client uninit. [23776.234320] pstate: 60400089 (nZCv daIf +PAN -UAO -TCO BTYPE=--) [23776.234325] pc : __list_del_entry_valid+0x148/0x240 [23776.234327] lr : __list_del_entry_valid+0x13c/0x240 [23776.234328] sp : ffff80003798b9f0 [23776.234329] x29: ffff80003798b9f0 x28: ffff388ed4711000 [23776.234333] x27: ffffdc1eafe39c48 x26: 0000000000000000 [23776.234336] x25: 0000000000000000 x24: ffff388ed4711000 [23776.234342] x23: ffffdc1e886be378 x22: ffff388d9de39198 [23776.234348] x21: ffff589732eb9800 x20: ffff388d9de39610 [23776.234352] x19: ffffdc1eb0dad3b0 x18: ffff80003798b5c8 [23776.234356] x17: 0000000000000000 x16: ffffdc1ead5ed4c0 [23776.356567] x15: 0000000000000000 x14: ffffdc1eb0160c70 [23776.362727] x13: 00000000000bffe8 x12: ffffdc1eb0160cc8 [23776.368887] x11: 0000000000000001 x10: 0000000000000001 [23776.375044] x9 : ffffdc1eaca945fc x8 : c0000000ffff7fff [23776.381199] x7 : ffff3894ffdb5890 x6 : 0000000000003093 [23776.387357] x5 : ffff3894ffdb5898 x4 : 0000000000003093 [23776.393516] x3 : ffffdc1eb0a85460 x2 : 0000000000000000 [23776.399671] x1 : 0000000000000000 x0 : 0000000000000001 [23776.405825] Call trace: [23776.409129] __list_del_entry_valid+0x148/0x240 [23776.414525] hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] [23776.420948] hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] [23776.428414] hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] [23776.435272] free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] [23776.441177] hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] [23776.447514] hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] [23776.453595] __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] [23776.461142] hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] [23776.468865] hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] [23776.476077] hclge_notify_roce_client+0x6c/0x160 [hclge] [23776.482246] hclge_reset_rebuild+0x150/0x5c0 [hclge] [23776.488074] hclge_reset+0x10c/0x140 [hclge] [23776.493207] hclge_reset_subtask+0x80/0x104 [hclge] [23776.498944] hclge_reset_service_task+0x168/0x3ac [hclge] [23776.505199] hclge_service_task+0x50/0x100 [hclge] [23776.510836] process_one_work+0x250/0x9a0 [23776.515695] worker_thread+0x324/0x990 [23776.520294] kthread+0x190/0x210 [23776.524375] ret_from_fork+0x10/0x18 Fixes: e96a09a3ded1 ("RDMA/hns: Fix Use-After-Free of rsv_qp") Signed-off-by: wenglianfa <wenglianfa@huawei.com> Signed-off-by: Donghua Huang <huangdonghua3@h-partners.com> --- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 2a93e4e905fd..595292fb88f7 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -3174,11 +3174,19 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) { int ret; + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { + ret = free_mr_init(hr_dev); + if (ret) { + dev_err(hr_dev->dev, "failed to init free mr!\n"); + return ret; + } + } + ret = hns_roce_v2_get_reset_page(hr_dev); if (ret) { dev_err(hr_dev->dev, "reset state init failed, ret = %d.\n", ret); - return ret; + goto error_get_reset_page_failed; } /* The hns ROCEE requires the extdb info to be cleared before using */ @@ -3205,6 +3213,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) put_hem_table(hr_dev); err_clear_extdb_failed: hns_roce_v2_put_reset_page(hr_dev); +error_get_reset_page_failed: + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) + free_mr_exit(hr_dev); return ret; } @@ -7609,21 +7620,10 @@ static int __hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) goto error_failed_roce_init; } - if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { - ret = free_mr_init(hr_dev); - if (ret) { - dev_err(hr_dev->dev, "failed to init free mr!\n"); - goto error_failed_free_mr_init; - } - } - handle->priv = hr_dev; return 0; -error_failed_free_mr_init: - hns_roce_exit(hr_dev, true); - error_failed_roce_init: kfree(hr_dev->priv); -- 2.33.0