On Wed, Feb 21, 2018 at 11:11:09AM -0700, Jason Gunthorpe wrote:
> On Wed, Feb 21, 2018 at 10:25:01AM +0200, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> >
> > Attempt to modify XRC_TGT QP type from the user space (ibv_xsrq_pingpong
> > invocation) will trigger the following kernel panic. It is caused by the
> > fact that such QPs missed uobject initialization.
> >
> > [ 17.408845] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
> > [ 17.412645] IP: rdma_lookup_put_uobject+0x9/0x50
> > [ 17.416567] PGD 0 P4D 0
> > [ 17.419262] Oops: 0000 [#1] SMP PTI
> > [ 17.422915] CPU: 0 PID: 455 Comm: ibv_xsrq_pingpo Not tainted 4.16.0-rc1+ #86
> > [ 17.424765] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> > [ 17.427399] RIP: 0010:rdma_lookup_put_uobject+0x9/0x50
> > [ 17.428445] RSP: 0018:ffffb8c7401e7c90 EFLAGS: 00010246
> > [ 17.429543] RAX: 0000000000000000 RBX: ffffb8c7401e7cf8 RCX: 0000000000000000
> > [ 17.432426] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
> > [ 17.437448] RBP: 0000000000000000 R08: 00000000000218f0 R09: ffffffff8ebc4cac
> > [ 17.440223] R10: fffff6038052cd80 R11: ffff967694b36400 R12: ffff96769391f800
> > [ 17.442184] R13: ffffb8c7401e7cd8 R14: 0000000000000000 R15: ffff967699f60000
> > [ 17.443971] FS: 00007fc29207d700(0000) GS:ffff96769fc00000(0000) knlGS:0000000000000000
> > [ 17.446623] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 17.448059] CR2: 0000000000000048 CR3: 000000001397a000 CR4: 00000000000006b0
> > [ 17.449677] Call Trace:
> > [ 17.450247] modify_qp.isra.20+0x219/0x2f0
> > [ 17.451151] ib_uverbs_modify_qp+0x90/0xe0
> > [ 17.452126] ib_uverbs_write+0x1d2/0x3c0
> > [ 17.453897] ? __handle_mm_fault+0x93c/0xe40
> > [ 17.454938] __vfs_write+0x36/0x180
> > [ 17.455875] vfs_write+0xad/0x1e0
> > [ 17.456766] SyS_write+0x52/0xc0
> > [ 17.457632] do_syscall_64+0x75/0x180
> > [ 17.458631] entry_SYSCALL_64_after_hwframe+0x21/0x86
> > [ 17.460004] RIP: 0033:0x7fc29198f5a0
> > [ 17.460982] RSP: 002b:00007ffccc71f018 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> > [ 17.463043] RAX: ffffffffffffffda RBX: 0000000000000078 RCX: 00007fc29198f5a0
> > [ 17.464581] RDX: 0000000000000078 RSI: 00007ffccc71f050 RDI: 0000000000000003
> > [ 17.466148] RBP: 0000000000000000 R08: 0000000000000078 R09: 00007ffccc71f050
> > [ 17.467750] R10: 000055b6cf87c248 R11: 0000000000000246 R12: 00007ffccc71f300
> > [ 17.469541] R13: 000055b6cf8733a0 R14: 0000000000000000 R15: 0000000000000000
> > [ 17.471151] Code: 00 00 0f 1f 44 00 00 48 8b 47 48 48 8b 00 48 8b 40 10 e9 0b 8b 68 00 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 53 89 f5 <48> 8b 47 48 48 89 fb 40 0f b6 f6 48 8b 00 48 8b 40 20 e8 e0 8a
> > [ 17.475185] RIP: rdma_lookup_put_uobject+0x9/0x50 RSP: ffffb8c7401e7c90
> > [ 17.476841] CR2: 0000000000000048
> > [ 17.477764] ---[ end trace 1dbcc5354071a712 ]---
> > [ 17.478880] Kernel panic - not syncing: Fatal exception
> > [ 17.480277] Kernel Offset: 0xd000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> >
> > Fixes: 2f08ee363fe0 ("RDMA/restrack: don't use uaccess_kernel()")
> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > drivers/infiniband/core/uverbs_cmd.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> > index 25a0e0e083b3..a148de35df8d 100644
> > +++ b/drivers/infiniband/core/uverbs_cmd.c
> > @@ -1553,6 +1553,9 @@ static int create_qp(struct ib_uverbs_file *file,
> > atomic_inc(&attr.srq->usecnt);
> > if (ind_tbl)
> > atomic_inc(&ind_tbl->usecnt);
> > + } else {
> > + /* It is done in _ib_create_qp for other QP types */
> > + qp->uobject = &obj->uevent.uobject;
> > }
>
> Steve got rid of this line to make sure the uobject was init'd during
> restrack add, so why is adding it back here OK for XRC?
Steve got rid of this line to determine kernel vs. user QPs and not
because of being XRC. XRC QPs are not participating in restrack
and IB_QPT_XRC_TGT actually needs this qp->object to be initialized.
Thanks
>
> Jason
Attachment:
signature.asc
Description: PGP signature
