Hi Doug, Jason,
> -----Original Message-----
> From: Parav Pandit <parav@xxxxxxxxxxxx>
> Sent: Wednesday, January 2, 2019 10:12 PM
> To: linux-rdma@xxxxxxxxxxxxxxx
> Cc: Parav Pandit <parav@xxxxxxxxxxxx>
> Subject: [PATCHv1] IB/mthca: Zero out QP during allocation time
>
> With mtcha driver a following [1] crash is observed.
>
> ib_destroy_qp() attempts to free the non zero sgid attr of a QP.
> mtcha driver allocates QP using kmalloc() that sometime leads to
> uninitialized non zero sgid attr.
> Due to that, destroy qp crashes on accessing such garbage sgid attr of QP.
> Therefore, zero out QP during allocation.
>
> [1]
> CPU: 3 PID: 74 Comm: kworker/u16:1 Not tainted 4.19.10-300.fc29.x86_64
> Workqueue: ipoib_wq ipoib_cm_tx_reap [ib_ipoib]
> RIP: 0010:rdma_put_gid_attr+0x9/0x30 [ib_core]
> RSP: 0018:ffffb7ad819dbde8 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: ffff8d1bdf5a2e00 RCX: 0000000000002699
> RDX: 206c656e72656af8 RSI: ffff8d1bf7ae6160 RDI: 206c656e72656b20
> RBP: 0000000000000000 R08: 0000000000026160 R09: ffffffffc06b45bf
> R10: ffffe849887da000 R11: 0000000000000002 R12: ffff8d1be30cb400
> R13: ffff8d1bdf681800 R14: ffff8d1be2272400 R15: ffff8d1be30ca000
> FS: 0000000000000000(0000) GS:ffff8d1bf7ac0000(0000)
> knlGS:0000000000000000
> Trace:
> ib_destroy_qp+0xc9/0x240 [ib_core]
> ipoib_cm_tx_reap+0x1f9/0x4e0 [ib_ipoib]
> process_one_work+0x1a1/0x3a0
> worker_thread+0x30/0x380
> ? pwq_unbound_release_workfn+0xd0/0xd0
> kthread+0x112/0x130
> ? kthread_create_worker_on_cpu+0x70/0x70
> ret_from_fork+0x22/0x40
>
> Reported-by: Alexander Murashkin <AlexanderMurashkin@xxxxxxx>
> Tested-by: Alexander Murashkin <AlexanderMurashkin@xxxxxxx>
> Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp")
> Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> Signed-off-by: Parav Pandit <parav@xxxxxxxxxxxx>
> ---
> drivers/infiniband/hw/mthca/mthca_provider.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c
> b/drivers/infiniband/hw/mthca/mthca_provider.c
> index 61f5c89..bb57f6f 100644
> --- a/drivers/infiniband/hw/mthca/mthca_provider.c
> +++ b/drivers/infiniband/hw/mthca/mthca_provider.c
> @@ -533,7 +533,7 @@ static struct ib_qp *mthca_create_qp(struct ib_pd
> *pd,
> {
> struct mthca_ucontext *context;
>
> - qp = kmalloc(sizeof *qp, GFP_KERNEL);
> + qp = kzalloc(sizeof(*qp), GFP_KERNEL);
> if (!qp)
> return ERR_PTR(-ENOMEM);
>
> @@ -599,7 +599,7 @@ static struct ib_qp *mthca_create_qp(struct ib_pd
> *pd,
> if (pd->uobject)
> return ERR_PTR(-EINVAL);
>
> - qp = kmalloc(sizeof (struct mthca_sqp), GFP_KERNEL);
> + qp = kzalloc(sizeof(struct mthca_sqp), GFP_KERNEL);
> if (!qp)
> return ERR_PTR(-ENOMEM);
>
> --
> 1.8.3.1
I don't see this patch in patchwork [1].
Not sure if I need to do anything special?
[1] https://patchwork.kernel.org/project/linux-rdma/list/
