Commit 7638e0bf authored by Chuck Lever's avatar Chuck Lever Committed by Trond Myklebust

SUNRPC: Move fault injection call sites

I've hit some crashes that occur in the xprt_rdma_inject_disconnect
path. It appears that, for some provides, rdma_disconnect() can
take so long that the transport can disconnect and release its
hardware resources while rdma_disconnect() is still running,
resulting in a UAF in the provider.

The transport's fault injection method may depend on the stability
of transport data structures. That means it needs to be invoked
only from contexts that hold the transport write lock.

Fixes: 4a068258 ("SUNRPC: Transport fault injection")
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
parent 73f5c88f
...@@ -1799,7 +1799,6 @@ call_allocate(struct rpc_task *task) ...@@ -1799,7 +1799,6 @@ call_allocate(struct rpc_task *task)
status = xprt->ops->buf_alloc(task); status = xprt->ops->buf_alloc(task);
trace_rpc_buf_alloc(task, status); trace_rpc_buf_alloc(task, status);
xprt_inject_disconnect(xprt);
if (status == 0) if (status == 0)
return; return;
if (status != -ENOMEM) { if (status != -ENOMEM) {
......
...@@ -1485,7 +1485,10 @@ bool xprt_prepare_transmit(struct rpc_task *task) ...@@ -1485,7 +1485,10 @@ bool xprt_prepare_transmit(struct rpc_task *task)
void xprt_end_transmit(struct rpc_task *task) void xprt_end_transmit(struct rpc_task *task)
{ {
xprt_release_write(task->tk_rqstp->rq_xprt, task); struct rpc_xprt *xprt = task->tk_rqstp->rq_xprt;
xprt_inject_disconnect(xprt);
xprt_release_write(xprt, task);
} }
/** /**
...@@ -1887,7 +1890,6 @@ void xprt_release(struct rpc_task *task) ...@@ -1887,7 +1890,6 @@ void xprt_release(struct rpc_task *task)
spin_unlock(&xprt->transport_lock); spin_unlock(&xprt->transport_lock);
if (req->rq_buffer) if (req->rq_buffer)
xprt->ops->buf_free(task); xprt->ops->buf_free(task);
xprt_inject_disconnect(xprt);
xdr_free_bvec(&req->rq_rcv_buf); xdr_free_bvec(&req->rq_rcv_buf);
xdr_free_bvec(&req->rq_snd_buf); xdr_free_bvec(&req->rq_snd_buf);
if (req->rq_cred != NULL) if (req->rq_cred != NULL)
......
...@@ -262,8 +262,10 @@ xprt_rdma_connect_worker(struct work_struct *work) ...@@ -262,8 +262,10 @@ xprt_rdma_connect_worker(struct work_struct *work)
* xprt_rdma_inject_disconnect - inject a connection fault * xprt_rdma_inject_disconnect - inject a connection fault
* @xprt: transport context * @xprt: transport context
* *
* If @xprt is connected, disconnect it to simulate spurious connection * If @xprt is connected, disconnect it to simulate spurious
* loss. * connection loss. Caller must hold @xprt's send lock to
* ensure that data structures and hardware resources are
* stable during the rdma_disconnect() call.
*/ */
static void static void
xprt_rdma_inject_disconnect(struct rpc_xprt *xprt) xprt_rdma_inject_disconnect(struct rpc_xprt *xprt)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment