From: Wen Gu guwen@linux.alibaba.com
[ Upstream commit e738455b2c6dcdab03e45d97de36476f93f557d2 ]
There might be a potential race between SMC-R buffer map and link group termination.
smc_smcr_terminate_all() | smc_connect_rdma() -------------------------------------------------------------- | smc_conn_create() for links in smcibdev | schedule links down | | smc_buf_create() | - smcr_buf_map_usable_links() | - no usable links found, | (rmb->mr = NULL) | | smc_clc_send_confirm() | - access conn->rmb_desc->mr[]->rkey | (panic)
During reboot and IB device module remove, all links will be set down and no usable links remain in link groups. In such situation smcr_buf_map_usable_links() should return an error and stop the CLC flow accessing to uninitialized mr.
Fixes: b9247544c1bc ("net/smc: convert static link ID instances to support multiple links") Signed-off-by: Wen Gu guwen@linux.alibaba.com Link: https://lore.kernel.org/r/1663656189-32090-1-git-send-email-guwen@linux.alib... Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/smc/smc_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 1f3bb1f6b1f7..8095876b66eb 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -2148,7 +2148,7 @@ static struct smc_buf_desc *smcr_new_buf_create(struct smc_link_group *lgr, static int smcr_buf_map_usable_links(struct smc_link_group *lgr, struct smc_buf_desc *buf_desc, bool is_rmb) { - int i, rc = 0; + int i, rc = 0, cnt = 0;
/* protect against parallel link reconfiguration */ mutex_lock(&lgr->llc_conf_mutex); @@ -2161,9 +2161,12 @@ static int smcr_buf_map_usable_links(struct smc_link_group *lgr, rc = -ENOMEM; goto out; } + cnt++; } out: mutex_unlock(&lgr->llc_conf_mutex); + if (!rc && !cnt) + rc = -EINVAL; return rc; }