From: Yishai Hadas <yishaih@xxxxxxxxxxxx>
The vma->vm_mm can become impossible to get before rdma_umap_close() is called,
in this case we must not try to get an mm that is already undergoing
process exit. In this case there is no need to wait for anything as the
VMA will be destroyed by another thread soon and is already effectively
'unreachable' by userspace.
[ 5789.275482] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 5789.283365] PGD 800000012bc50067 P4D 800000012bc50067 PUD 129db5067 PMD 0
[ 5789.285572] Oops: 0000 [#1] SMP PTI
[ 5789.286872] CPU: 1 PID: 2050 Comm: bash Tainted: G W OE 4.20.0-rc6+ #3
[ 5789.289096] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 5789.290920] RIP: 0010:__rb_erase_color+0xb9/0x280
[ 5789.292396] Code: 84 17 01 00 00 48 3b 68 10 0f 84 15 01 00 00 48 89
58 08 48 89 de 48 89 ef 4c 89 e3 e8 90 84 22 00 e9 60 ff ff ff 48 8b 5d
10 <f6> 03 01 0f 84 9c 00 00 00 48 8b 43 10 48 85 c0 74 09 f6 00 01 0f
[ 5789.298145] RSP: 0018:ffffbecfc090bab8 EFLAGS: 00010246
[ 5789.299993] RAX: ffff97616346cf30 RBX: 0000000000000000 RCX: 0000000000000101
[ 5789.302378] RDX: 0000000000000000 RSI: ffff97623b6ca828 RDI: ffff97621ef10828
[ 5789.304655] RBP: ffff97621ef10828 R08: ffff97621ef10828 R09: 0000000000000000
[ 5789.306891] R10: 0000000000000000 R11: 0000000000000000 R12: ffff97623b6ca838
[ 5789.309065] R13: ffffffffbb3fef50 R14: ffff97623b6ca828 R15: 0000000000000000
[ 5789.311291] FS: 00007f7a5c31d740(0000) GS:ffff97623bb00000(0000) knlGS:0000000000000000
[ 5789.314101] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5789.316196] CR2: 0000000000000000 CR3: 000000011255a000 CR4: 00000000000006e0
[ 5789.318580] Call Trace:
[ 5789.319770] unlink_file_vma+0x3b/0x50
[ 5789.321287] free_pgtables+0xa1/0x110
[ 5789.322812] exit_mmap+0xca/0x1a0
[ 5789.324185] ? mlx5_ib_dealloc_pd+0x28/0x30 [mlx5_ib]
[ 5789.325978] mmput+0x54/0x140
[ 5789.327364] uverbs_user_mmap_disassociate+0xcc/0x160 [ib_uverbs]
[ 5789.329610] uverbs_destroy_ufile_hw+0xf7/0x120 [ib_uverbs]
[ 5789.331559] ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
[ 5789.333684] ib_unregister_device+0xfb/0x200 [ib_core]
[ 5789.335452] mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
[ 5789.337235] mlx5_remove_device+0xc1/0xd0 [mlx5_core]
[ 5789.339170] mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
[ 5789.340987] remove_one+0x2a/0x90 [mlx5_core]
[ 5789.342766] pci_device_remove+0x3b/0xc0
[ 5789.344310] device_release_driver_internal+0x16d/0x240
[ 5789.346102] unbind_store+0xb2/0x100
[ 5789.347502] kernfs_fop_write+0x102/0x180
[ 5789.349050] __vfs_write+0x36/0x1a0
[ 5789.350446] ? __alloc_fd+0xa9/0x170
[ 5789.351928] ? set_close_on_exec+0x49/0x70
[ 5789.353571] vfs_write+0xad/0x1a0
[ 5789.355019] ksys_write+0x52/0xc0
[ 5789.356386] do_syscall_64+0x5b/0x180
[ 5789.357868] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 5789.359740] RIP: 0033:0x7f7a5ba1ac60
[ 5789.361088] Code: 73 01 c3 48 8b 0d 30 62 2d 00 f7 d8 64 89 01 48 83
c8 ff c3 66 0f 1f 44 00 00 83 3d 3d c3 2d 00 00 75 10 b8 01 00 00 00 0f
05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee cb 01 00 48 89 04 24
[ 5789.366692] RSP: 002b:00007ffecde8fda8 EFLAGS: 00000246 ORIG_RAX:0000000000000001
[ 5789.368992] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f7a5ba1ac60
[ 5789.371287] RDX: 000000000000000d RSI: 00007f7a5c345000 RDI: 0000000000000001
[ 5789.373553] RBP: 00007f7a5c345000 R08: 000000000000000a R09: 00007f7a5c31d740
[ 5789.375733] R10: 00007f7a5c31d740 R11: 0000000000000246 R12: 00007f7a5bcf2400
[ 5789.377869] R13: 000000000000000d R14: 0000000000000001 R15: 0000000000000000
[ 5789.380193] Modules linked in: netconsole rdma_ucm rdma_cm iw_cm
ib_ipoib ib_cm ib_umad mlx5_ib(OE) mlx5_core(OE) mlxfw mlx4_en mlx4_ib
ib_uverbs(OE) ib_core mlx4_core devlink nfsv3 nfs_acl rpcsec_gss_krb5
auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache ipmi_devintf
ipmi_msghandler sunrpc dm_mirror dm_region_hash dm_log dm_mod
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel
crypto_simd cryptd glue_helper joydev pcspkr virtio_balloon sg i2c_piix4
ip_tables ext4 mbcache jbd2 sd_mod ata_generic pata_acpi cirrus
drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
virtio_net ata_piix net_failover failover libata virtio_console i2c_core
crc32c_intel virtio_pci serio_raw virtio_ring virtio floppy [last
unloaded: netconsole]
[ 5789.403184] CR2: 0000000000000000
Cc: <stable@xxxxxxxxxxxxxxx> # 4.19
Fixes: 5f9794dc94f5 ("RDMA/ucontext: Add a core API for mmaping driver IO memory")
Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
---
drivers/infiniband/core/uverbs_main.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 15add0688fbb..5f366838b7ff 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -967,11 +967,19 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
/* Get an arbitrary mm pointer that hasn't been cleaned yet */
mutex_lock(&ufile->umap_lock);
- if (!list_empty(&ufile->umaps)) {
- mm = list_first_entry(&ufile->umaps,
- struct rdma_umap_priv, list)
- ->vma->vm_mm;
- mmget(mm);
+ while (!list_empty(&ufile->umaps)) {
+ int ret;
+
+ priv = list_first_entry(&ufile->umaps,
+ struct rdma_umap_priv, list);
+ mm = priv->vma->vm_mm;
+ ret = mmget_not_zero(mm);
+ if (!ret) {
+ list_del_init(&priv->list);
+ mm = NULL;
+ continue;
+ }
+ break;
}
mutex_unlock(&ufile->umap_lock);
if (!mm)
--
2.19.1
