[PATCH rdma-rc] IB/uverbs: Fix ioctl query port to consider device disassociation

Leon Romanovsky <leon@xxxxxxxxxx> · Thu, 24 Jan 2019 15:00:07 +0200

From: Yishai Hadas <yishaih@xxxxxxxxxxxx>

The ioctl query port method needs to consider device disassociation,
otherwise an OOPs might occur.

[  450.366604] BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
[  450.371484] PGD 800000005ece6067 P4D 800000005ece6067 PUD 5ece7067 PMD 0
[  450.373864] Oops: 0000 [#1] SMP PTI
[  450.375345] CPU: 0 PID: 10631 Comm: ibv_ud_pingpong Tainted: GW  OE     4.20.0-rc6+ #3
[  450.378273] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  450.380428] RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_PORT+0x53/0x191 [ib_uverbs]
[  450.383200] Code: 80 00 00 00 31 c0 48 8b 47 40 48 8d 5c 24 38 48 8d 6c 24
               08 48 89 df 48 8b 40 08 4c 8b a0 18 03 00 00 31 c0 f3 48 ab 48 89
               ef <49> 83 7c 24 78 00 b1 06 f3 48 ab 0f 84 89 00 00 00 45 31  c9 31 d2
[  450.389506] RSP: 0018:ffffb54802ccfb10 EFLAGS: 00010246
[  450.391519] RAX: 0000000000000000 RBX: ffffb54802ccfb48 RCX:0000000000000000
[  450.394085] RDX: fffffffffffffffa RSI: ffffb54802ccfcf8 RDI:ffffb54802ccfb18
[  450.396635] RBP: ffffb54802ccfb18 R08: ffffb54802ccfd18 R09:0000000000000000
[  450.399199] R10: 0000000000000000 R11: 00000000000000d0 R12:0000000000000000
[  450.401737] R13: ffffb54802ccfcb0 R14: ffffb54802ccfc48 R15:ffff9f736e0059a0
[  450.404292] FS:  00007f55a6bd7740(0000) GS:ffff9f737ba00000(0000) knlGS:0000000000000000
[  450.407106] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  450.409258] CR2: 0000000000000078 CR3: 0000000064214000 CR4:00000000000006f0
[  450.411801] Call Trace:
[  450.413074]  ib_uverbs_cmd_verbs.isra.5+0x94d/0xa60 [ib_uverbs]
[  450.415280]  ? copy_port_attr_to_resp+0x120/0x120 [ib_uverbs]
[  450.417461]  ? arch_tlb_finish_mmu+0x16/0xc0
[  450.419183]  ? tlb_finish_mmu+0x1f/0x30
[  450.420797]  ? unmap_region+0xd9/0x120
[  450.422393]  ib_uverbs_ioctl+0xbc/0x120 [ib_uverbs]
[  450.424312]  do_vfs_ioctl+0xa9/0x620
[  450.425858]  ? __do_munmap+0x29f/0x3a0
[  450.427445]  ksys_ioctl+0x60/0x90
[  450.428894]  __x64_sys_ioctl+0x16/0x20
[  450.430500]  do_syscall_64+0x5b/0x180
[  450.432095]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  450.434054] RIP: 0033:0x7f55a62cb567
[  450.435587] Code: 44 00 00 48 8b 05 29 09 2d 00 64 c7 00 26 00 00 00
               48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f
               05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 08 2d 00 f7 d8 64 89 01 48
[  450.441711] RSP: 002b:00007ffd5b3da6e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  450.444385] RAX: ffffffffffffffda RBX: 00007ffd5b3da808 RCX: 00007f55a62cb567
[  450.446954] RDX: 00007ffd5b3da7f0 RSI: 00000000c0181b01 RDI:0000000000000003
[  450.449535] RBP: 00007ffd5b3da7d0 R08: 00007ffd5b3da828 R09:0000000000000000
[  450.452090] R10: 0000000000000001 R11: 0000000000000246 R12:00007f55a6ba5150
[  450.454672] R13: 00007f55a6ba5010 R14: 0000000002446430 R15:0000000000000400
[  450.457319] Modules linked in: rdma_ucm rdma_cm iw_cm ib_ipoib ib_cm
ib_umad mlx5_ib(OE) mlx5_core(OE) mlxfw mlx4_en mlx4_ib ib_uverbs
ib_core mlx4_core devlink netconsole nfsv3 nfs_acl rpcsec_gss_krb5
auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache ipmi_devintf
ipmi_msghandler sunrpc dm_mirror dm_region_hash dm_log dm_mod
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel
crypto_simd cryptd glue_helper sg joydev pcspkr virtio_balloon i2c_piix4 ip_tables
ext4 mbcache jbd2 sd_mod virtio_net virtio_console net_failover failover
cirrus drm_kms_helper ata_generic syscopyarea sysfillrect pata
_acpi sysimgblt fb_sys_fops ttm drm crc32c_intel serio_raw virtio_pci
i2c_core ata_piix libata virtio_ring virtio floppy [last unloaded: mlxfw]
[  450.479670] CR2: 0000000000000078

Fixes: 641d1207d2ed ("IB/core: Move query port to ioctl")
Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
---
 drivers/infiniband/core/uverbs_std_types_device.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c
index 5030ec480370..2a3f2f01028d 100644
--- a/drivers/infiniband/core/uverbs_std_types_device.c
+++ b/drivers/infiniband/core/uverbs_std_types_device.c
@@ -168,12 +168,18 @@ void copy_port_attr_to_resp(struct ib_port_attr *attr,
 static int UVERBS_HANDLER(UVERBS_METHOD_QUERY_PORT)(
 	struct uverbs_attr_bundle *attrs)
 {
-	struct ib_device *ib_dev = attrs->ufile->device->ib_dev;
+	struct ib_device *ib_dev;
 	struct ib_port_attr attr = {};
 	struct ib_uverbs_query_port_resp_ex resp = {};
+	struct ib_ucontext *ucontext;
 	int ret;
 	u8 port_num;
 
+	ucontext = ib_uverbs_get_ucontext(attrs);
+	if (IS_ERR(ucontext))
+		return PTR_ERR(ucontext);
+	ib_dev = ucontext->device;
+
 	/* FIXME: Extend the UAPI_DEF_OBJ_NEEDS_FN stuff.. */
 	if (!ib_dev->ops.query_port)
 		return -EOPNOTSUPP;
-- 
2.19.1







