> -----Original Message-----
> From: linux-rdma-owner@xxxxxxxxxxxxxxx <linux-rdma-
> owner@xxxxxxxxxxxxxxx> On Behalf Of Leon Romanovsky
> Sent: Wednesday, January 9, 2019 12:16 PM
> To: Doug Ledford <dledford@xxxxxxxxxx>; Jason Gunthorpe
> <jgg@xxxxxxxxxxxx>
> Cc: Leon Romanovsky <leonro@xxxxxxxxxxxx>; RDMA mailing list <linux-
> rdma@xxxxxxxxxxxxxxx>
> Subject: [PATCH rdma-next 3/4] RDMA/mthca: Clear QP objects during their
> allocation
>
> From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
>
> As part of audit process to update drivers to use rdma_restrack_add()
> ensure that QP objects is cleared before access.
>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> ---
> drivers/infiniband/hw/mthca/mthca_provider.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c
> b/drivers/infiniband/hw/mthca/mthca_provider.c
> index cf5d1e6ff77d..3493be39637c 100644
> --- a/drivers/infiniband/hw/mthca/mthca_provider.c
> +++ b/drivers/infiniband/hw/mthca/mthca_provider.c
> @@ -534,7 +534,7 @@ static struct ib_qp *mthca_create_qp(struct ib_pd
> *pd,
> {
> struct mthca_ucontext *context;
>
> - qp = kmalloc(sizeof *qp, GFP_KERNEL);
> + qp = kzalloc(sizeof(*qp), GFP_KERNEL);
> if (!qp)
> return ERR_PTR(-ENOMEM);
>
> @@ -600,7 +600,7 @@ static struct ib_qp *mthca_create_qp(struct ib_pd
> *pd,
> if (udata)
> return ERR_PTR(-EINVAL);
>
> - qp = kmalloc(sizeof (struct mthca_sqp), GFP_KERNEL);
> + qp = kzalloc(sizeof(struct mthca_sqp), GFP_KERNEL);
> if (!qp)
> return ERR_PTR(-ENOMEM);
>
> --
> 2.19.1
I sent this patch a while back but didn't show up in patchworks.
Can you please add below log information [1] and tags [2]?
With mtcha driver a following [1] crash is observed.
ib_destroy_qp() attempts to free the non-zero sgid attr of a QP.
mtcha driver allocates QP using kmalloc() that sometime leads to uninitialized non zero sgid attr.
Due to that, destroy qp crashes on accessing such garbage sgid attr of QP.
Therefore, zero out QP during allocation.
[1]
CPU: 3 PID: 74 Comm: kworker/u16:1 Not tainted 4.19.10-300.fc29.x86_64
Workqueue: ipoib_wq ipoib_cm_tx_reap [ib_ipoib]
RIP: 0010:rdma_put_gid_attr+0x9/0x30 [ib_core]
RSP: 0018:ffffb7ad819dbde8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8d1bdf5a2e00 RCX: 0000000000002699
RDX: 206c656e72656af8 RSI: ffff8d1bf7ae6160 RDI: 206c656e72656b20
RBP: 0000000000000000 R08: 0000000000026160 R09: ffffffffc06b45bf
R10: ffffe849887da000 R11: 0000000000000002 R12: ffff8d1be30cb400
R13: ffff8d1bdf681800 R14: ffff8d1be2272400 R15: ffff8d1be30ca000
FS: 0000000000000000(0000) GS:ffff8d1bf7ac0000(0000)
knlGS:0000000000000000
Trace:
ib_destroy_qp+0xc9/0x240 [ib_core]
ipoib_cm_tx_reap+0x1f9/0x4e0 [ib_ipoib]
process_one_work+0x1a1/0x3a0
worker_thread+0x30/0x380
? pwq_unbound_release_workfn+0xd0/0xd0
kthread+0x112/0x130
? kthread_create_worker_on_cpu+0x70/0x70
ret_from_fork+0x22/0x40
[2]
Reported-by: Alexander Murashkin <AlexanderMurashkin@xxxxxxx>
Tested-by: Alexander Murashkin <AlexanderMurashkin@xxxxxxx>
Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp")
Signed-off-by: Parav Pandit <parav@xxxxxxxxxxxx>
