projects
/
platform
/
kernel
/
linux-starfive.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
7374fbd
)
RDMA/uverbs: Fix kernel panic while using XRC_TGT QP type
author
Leon Romanovsky
<leonro@mellanox.com>
Wed, 21 Feb 2018 08:25:01 +0000
(10:25 +0200)
committer
Doug Ledford
<dledford@redhat.com>
Wed, 21 Feb 2018 18:52:19 +0000
(13:52 -0500)
Attempt to modify XRC_TGT QP type from the user space (ibv_xsrq_pingpong
invocation) will trigger the following kernel panic. It is caused by the
fact that such QPs missed uobject initialization.
[ 17.408845] BUG: unable to handle kernel NULL pointer dereference at
0000000000000048
[ 17.412645] IP: rdma_lookup_put_uobject+0x9/0x50
[ 17.416567] PGD 0 P4D 0
[ 17.419262] Oops: 0000 [#1] SMP PTI
[ 17.422915] CPU: 0 PID: 455 Comm: ibv_xsrq_pingpo Not tainted 4.16.0-rc1+ #86
[ 17.424765] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c
-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[ 17.427399] RIP: 0010:rdma_lookup_put_uobject+0x9/0x50
[ 17.428445] RSP: 0018:
ffffb8c7401e7c90
EFLAGS:
00010246
[ 17.429543] RAX:
0000000000000000
RBX:
ffffb8c7401e7cf8
RCX:
0000000000000000
[ 17.432426] RDX:
0000000000000001
RSI:
0000000000000000
RDI:
0000000000000000
[ 17.437448] RBP:
0000000000000000
R08:
00000000000218f0
R09:
ffffffff8ebc4cac
[ 17.440223] R10:
fffff6038052cd80
R11:
ffff967694b36400
R12:
ffff96769391f800
[ 17.442184] R13:
ffffb8c7401e7cd8
R14:
0000000000000000
R15:
ffff967699f60000
[ 17.443971] FS:
00007fc29207d700
(0000) GS:
ffff96769fc00000
(0000) knlGS:
0000000000000000
[ 17.446623] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 17.448059] CR2:
0000000000000048
CR3:
000000001397a000
CR4:
00000000000006b0
[ 17.449677] Call Trace:
[ 17.450247] modify_qp.isra.20+0x219/0x2f0
[ 17.451151] ib_uverbs_modify_qp+0x90/0xe0
[ 17.452126] ib_uverbs_write+0x1d2/0x3c0
[ 17.453897] ? __handle_mm_fault+0x93c/0xe40
[ 17.454938] __vfs_write+0x36/0x180
[ 17.455875] vfs_write+0xad/0x1e0
[ 17.456766] SyS_write+0x52/0xc0
[ 17.457632] do_syscall_64+0x75/0x180
[ 17.458631] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 17.460004] RIP: 0033:0x7fc29198f5a0
[ 17.460982] RSP: 002b:
00007ffccc71f018
EFLAGS:
00000246
ORIG_RAX:
0000000000000001
[ 17.463043] RAX:
ffffffffffffffda
RBX:
0000000000000078
RCX:
00007fc29198f5a0
[ 17.464581] RDX:
0000000000000078
RSI:
00007ffccc71f050
RDI:
0000000000000003
[ 17.466148] RBP:
0000000000000000
R08:
0000000000000078
R09:
00007ffccc71f050
[ 17.467750] R10:
000055b6cf87c248
R11:
0000000000000246
R12:
00007ffccc71f300
[ 17.469541] R13:
000055b6cf8733a0
R14:
0000000000000000
R15:
0000000000000000
[ 17.471151] Code: 00 00 0f 1f 44 00 00 48 8b 47 48 48 8b 00 48 8b 40 10 e9 0b 8b 68 00 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 53 89 f5 <48> 8b 47 48 48 89 fb 40 0f b6 f6 48 8b 00 48 8b 40 20 e8 e0 8a
[ 17.475185] RIP: rdma_lookup_put_uobject+0x9/0x50 RSP:
ffffb8c7401e7c90
[ 17.476841] CR2:
0000000000000048
[ 17.477764] ---[ end trace
1dbcc5354071a712
]---
[ 17.478880] Kernel panic - not syncing: Fatal exception
[ 17.480277] Kernel Offset: 0xd000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Fixes: 2f08ee363fe0 ("RDMA/restrack: don't use uaccess_kernel()")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/core/uverbs_cmd.c
patch
|
blob
|
history
diff --git
a/drivers/infiniband/core/uverbs_cmd.c
b/drivers/infiniband/core/uverbs_cmd.c
index 25a0e0e083b3350dbdbcddf054f9c725671ed056..a148de35df8d4008bf2534c4920f6ff075c0e698 100644
(file)
--- a/
drivers/infiniband/core/uverbs_cmd.c
+++ b/
drivers/infiniband/core/uverbs_cmd.c
@@
-1553,6
+1553,9
@@
static int create_qp(struct ib_uverbs_file *file,
atomic_inc(&attr.srq->usecnt);
if (ind_tbl)
atomic_inc(&ind_tbl->usecnt);
+ } else {
+ /* It is done in _ib_create_qp for other QP types */
+ qp->uobject = &obj->uevent.uobject;
}
obj->uevent.uobject.object = qp;