On 2021/8/23 13:42, Zhu Yanjun wrote:
> On Mon, Aug 23, 2021 at 12:37 PM yangx.jy@xxxxxxxxxxx
> <yangx.jy@xxxxxxxxxxx> wrote:
>> On 2021/8/21 15:21, Zhu Yanjun wrote:
>>> On Fri, Aug 20, 2021 at 6:44 PM Xiao Yang<yangx.jy@xxxxxxxxxxx> wrote:
>>>> 1) New index member of struct rxe_queue is introduced but not zeroed
>>>> so the initial value of index may be random.
>>>> 2) Current index is not masked off to index_mask.
>>>> In such case, producer_addr() and consumer_addr() will get an invalid
>>>> address by the random index and then accessing the invalid address
>>>> triggers the following panic:
>>>> "BUG: unable to handle page fault for address: ffff9ae2c07a1414"
>>>>
>>>> Fix the issue by using kzalloc() to zero out index member.
>>>>
>>>> Fixes: 5bcf5a59c41e ("RDMA/rxe: Protext kernel index from user space")
>>>> Signed-off-by: Xiao Yang<yangx.jy@xxxxxxxxxxx>
>>>> ---
>>>> drivers/infiniband/sw/rxe/rxe_queue.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c b/drivers/infiniband/sw/rxe/rxe_queue.c
>>>> index 85b812586ed4..72d95398e604 100644
>>>> --- a/drivers/infiniband/sw/rxe/rxe_queue.c
>>>> +++ b/drivers/infiniband/sw/rxe/rxe_queue.c
>>>> @@ -63,7 +63,7 @@ struct rxe_queue *rxe_queue_init(struct rxe_dev *rxe, int *num_elem,
>>>> if (*num_elem< 0)
>>>> goto err1;
>>>>
>>>> - q = kmalloc(sizeof(*q), GFP_KERNEL);
>>>> + q = kzalloc(sizeof(*q), GFP_KERNEL);
>>> Perhaps this is why I can not reproduce this problem in the local host.
>> Hi Yanjun,
>>
>> I forgot to say that I reproduced the issue on my local vm.
> Which OS are you using to reproduce this problem?
OS is fedora31.
> Zhu Yanjun
>
>> Best Regards,
>> Xiao Yang
>>> Zhu Yanjun
>>>
>>>> if (!q)
>>>> goto err1;
>>>>
>>>> --
>>>> 2.25.1
>>>>
>>>>
>>>>
