On Wed, Feb 21, 2018 at 10:25:01AM +0200, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
>
> Attempt to modify XRC_TGT QP type from the user space (ibv_xsrq_pingpong
> invocation) will trigger the following kernel panic. It is caused by the
> fact that such QPs missed uobject initialization.
>
> [ 17.408845] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
> [ 17.412645] IP: rdma_lookup_put_uobject+0x9/0x50
> [ 17.416567] PGD 0 P4D 0
> [ 17.419262] Oops: 0000 [#1] SMP PTI
> [ 17.422915] CPU: 0 PID: 455 Comm: ibv_xsrq_pingpo Not tainted 4.16.0-rc1+ #86
> [ 17.424765] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> [ 17.427399] RIP: 0010:rdma_lookup_put_uobject+0x9/0x50
> [ 17.428445] RSP: 0018:ffffb8c7401e7c90 EFLAGS: 00010246
> [ 17.429543] RAX: 0000000000000000 RBX: ffffb8c7401e7cf8 RCX: 0000000000000000
> [ 17.432426] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
> [ 17.437448] RBP: 0000000000000000 R08: 00000000000218f0 R09: ffffffff8ebc4cac
> [ 17.440223] R10: fffff6038052cd80 R11: ffff967694b36400 R12: ffff96769391f800
> [ 17.442184] R13: ffffb8c7401e7cd8 R14: 0000000000000000 R15: ffff967699f60000
> [ 17.443971] FS: 00007fc29207d700(0000) GS:ffff96769fc00000(0000) knlGS:0000000000000000
> [ 17.446623] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 17.448059] CR2: 0000000000000048 CR3: 000000001397a000 CR4: 00000000000006b0
> [ 17.449677] Call Trace:
> [ 17.450247] modify_qp.isra.20+0x219/0x2f0
> [ 17.451151] ib_uverbs_modify_qp+0x90/0xe0
> [ 17.452126] ib_uverbs_write+0x1d2/0x3c0
> [ 17.453897] ? __handle_mm_fault+0x93c/0xe40
> [ 17.454938] __vfs_write+0x36/0x180
> [ 17.455875] vfs_write+0xad/0x1e0
> [ 17.456766] SyS_write+0x52/0xc0
> [ 17.457632] do_syscall_64+0x75/0x180
> [ 17.458631] entry_SYSCALL_64_after_hwframe+0x21/0x86
> [ 17.460004] RIP: 0033:0x7fc29198f5a0
> [ 17.460982] RSP: 002b:00007ffccc71f018 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [ 17.463043] RAX: ffffffffffffffda RBX: 0000000000000078 RCX: 00007fc29198f5a0
> [ 17.464581] RDX: 0000000000000078 RSI: 00007ffccc71f050 RDI: 0000000000000003
> [ 17.466148] RBP: 0000000000000000 R08: 0000000000000078 R09: 00007ffccc71f050
> [ 17.467750] R10: 000055b6cf87c248 R11: 0000000000000246 R12: 00007ffccc71f300
> [ 17.469541] R13: 000055b6cf8733a0 R14: 0000000000000000 R15: 0000000000000000
> [ 17.471151] Code: 00 00 0f 1f 44 00 00 48 8b 47 48 48 8b 00 48 8b 40 10 e9 0b 8b 68 00 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 53 89 f5 <48> 8b 47 48 48 89 fb 40 0f b6 f6 48 8b 00 48 8b 40 20 e8 e0 8a
> [ 17.475185] RIP: rdma_lookup_put_uobject+0x9/0x50 RSP: ffffb8c7401e7c90
> [ 17.476841] CR2: 0000000000000048
> [ 17.477764] ---[ end trace 1dbcc5354071a712 ]---
> [ 17.478880] Kernel panic - not syncing: Fatal exception
> [ 17.480277] Kernel Offset: 0xd000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
>
> Fixes: 2f08ee363fe0 ("RDMA/restrack: don't use uaccess_kernel()")
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> drivers/infiniband/core/uverbs_cmd.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index 25a0e0e083b3..a148de35df8d 100644
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -1553,6 +1553,9 @@ static int create_qp(struct ib_uverbs_file *file,
> atomic_inc(&attr.srq->usecnt);
> if (ind_tbl)
> atomic_inc(&ind_tbl->usecnt);
> + } else {
> + /* It is done in _ib_create_qp for other QP types */
> + qp->uobject = &obj->uevent.uobject;
> }
Steve got rid of this line to make sure the uobject was init'd during
restrack add, so why is adding it back here OK for XRC?
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
