CVE-2024-50095

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mad: Improve handling of timed out WRs of mad agent<br /> <br /> Current timeout handler of mad agent acquires/releases mad_agent_priv<br /> lock for every timed out WRs. This causes heavy locking contention<br /> when higher no. of WRs are to be handled inside timeout handler.<br /> <br /> This leads to softlockup with below trace in some use cases where<br /> rdma-cm path is used to establish connection between peer nodes<br /> <br /> Trace:<br /> -----<br /> BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]<br /> CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE<br /> ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1<br /> Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019<br /> Workqueue: ib_mad1 timeout_sends [ib_core]<br /> RIP: 0010:__do_softirq+0x78/0x2ac<br /> RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246<br /> RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f<br /> RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b<br /> RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000<br /> R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040<br /> FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? __irq_exit_rcu+0xa1/0xc0<br /> ? watchdog_timer_fn+0x1b2/0x210<br /> ? __pfx_watchdog_timer_fn+0x10/0x10<br /> ? __hrtimer_run_queues+0x127/0x2c0<br /> ? hrtimer_interrupt+0xfc/0x210<br /> ? __sysvec_apic_timer_interrupt+0x5c/0x110<br /> ? sysvec_apic_timer_interrupt+0x37/0x90<br /> ? asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> ? __do_softirq+0x78/0x2ac<br /> ? __do_softirq+0x60/0x2ac<br /> __irq_exit_rcu+0xa1/0xc0<br /> sysvec_call_function_single+0x72/0x90<br /> <br /> <br /> asm_sysvec_call_function_single+0x16/0x20<br /> RIP: 0010:_raw_spin_unlock_irq+0x14/0x30<br /> RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247<br /> RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800<br /> RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c<br /> RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000<br /> R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538<br /> R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c<br /> cm_process_send_error+0x122/0x1d0 [ib_cm]<br /> timeout_sends+0x1dd/0x270 [ib_core]<br /> process_one_work+0x1e2/0x3b0<br /> ? __pfx_worker_thread+0x10/0x10<br /> worker_thread+0x50/0x3a0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xdd/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x29/0x50<br /> <br /> <br /> Simplified timeout handler by creating local list of timed out WRs<br /> and invoke send handler post creating the list. The new method acquires/<br /> releases lock once to fetch the list and hence helps to reduce locking<br /> contetiong when processing higher no. of WRs