From d4997fb33670147ac7ee657a24db5474b50f171a Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Thu, 29 Apr 2021 14:56:15 +0800 Subject: [PATCH] xprtrdma: Fix trace point use-after-free race mainline inclusion from mainline-5.7-rc4 commit bdb2ce82818577ba6e57b7d68b698b8d17329281 category: bugfix bugzilla: 51810 CVE: NA ------------------------------------------------- It's not safe to use resources pointed to by the @send_wr of ib_post_send() _after_ that function returns. Those resources are typically freed by the Send completion handler, which can run before ib_post_send() returns. Thus the trace points currently around ib_post_send() in the client's RPC/RDMA transport are a hazard, even when they are disabled. Rearrange them so that they touch the Work Request only _before_ ib_post_send() is invoked. Fixes: ab03eff58eb5 ("xprtrdma: Add trace points in RPC Call transmit paths") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker (cherry picked from commit bdb2ce82818577ba6e57b7d68b698b8d17329281) Signed-off-by: Yufen Wang Reviewed-by: Yue Haibing Signed-off-by: Yang Yingliang --- include/trace/events/rpcrdma.h | 12 ++++-------- net/sunrpc/xprtrdma/verbs.c | 2 +- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/include/trace/events/rpcrdma.h b/include/trace/events/rpcrdma.h index a9369ac1a247..d53c40c9affd 100644 --- a/include/trace/events/rpcrdma.h +++ b/include/trace/events/rpcrdma.h @@ -500,17 +500,15 @@ TRACE_EVENT(xprtrdma_marshal, TRACE_EVENT(xprtrdma_post_send, TP_PROTO( - const struct rpcrdma_req *req, - int status + const struct rpcrdma_req *req ), - TP_ARGS(req, status), + TP_ARGS(req), TP_STRUCT__entry( __field(const void *, req) __field(int, num_sge) __field(int, signaled) - __field(int, status) ), TP_fast_assign( @@ -518,13 +516,11 @@ TRACE_EVENT(xprtrdma_post_send, __entry->num_sge = req->rl_sendctx->sc_wr.num_sge; __entry->signaled = req->rl_sendctx->sc_wr.send_flags & IB_SEND_SIGNALED; - __entry->status = status; ), - TP_printk("req=%p, %d SGEs%s, status=%d", + TP_printk("req=%p, %d SGEs%s", __entry->req, __entry->num_sge, - (__entry->signaled ? ", signaled" : ""), - __entry->status + (__entry->signaled ? ", signaled" : "") ) ); diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c index a00941b32a25..147f25264ba3 100644 --- a/net/sunrpc/xprtrdma/verbs.c +++ b/net/sunrpc/xprtrdma/verbs.c @@ -1517,8 +1517,8 @@ rpcrdma_ep_post(struct rpcrdma_ia *ia, --ep->rep_send_count; } + trace_xprtrdma_post_send(req); rc = ia->ri_ops->ro_send(ia, req); - trace_xprtrdma_post_send(req, rc); if (rc) return -ENOTCONN; return 0; -- GitLab