On Sun, Jan 27, 2019 at 10:11:27AM +0200, Leon Romanovsky wrote:
> From: Yishai Hadas <yishaih@xxxxxxxxxxxx>
>
> The vma->vm_mm can become impossible to get before rdma_umap_close() is called,
> in this case we must not try to get an mm that is already undergoing
> process exit. In this case there is no need to wait for anything as the
> VMA will be destroyed by another thread soon and is already effectively
> 'unreachable' by userspace.
>
> [ 5789.275482] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> [ 5789.283365] PGD 800000012bc50067 P4D 800000012bc50067 PUD 129db5067 PMD 0
> [ 5789.285572] Oops: 0000 [#1] SMP PTI
> [ 5789.286872] CPU: 1 PID: 2050 Comm: bash Tainted: G W OE 4.20.0-rc6+ #3
> [ 5789.289096] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
> [ 5789.290920] RIP: 0010:__rb_erase_color+0xb9/0x280
> [ 5789.292396] Code: 84 17 01 00 00 48 3b 68 10 0f 84 15 01 00 00 48 89
> 58 08 48 89 de 48 89 ef 4c 89 e3 e8 90 84 22 00 e9 60 ff ff ff 48 8b 5d
> 10 <f6> 03 01 0f 84 9c 00 00 00 48 8b 43 10 48 85 c0 74 09 f6 00 01 0f
> [ 5789.298145] RSP: 0018:ffffbecfc090bab8 EFLAGS: 00010246
> [ 5789.299993] RAX: ffff97616346cf30 RBX: 0000000000000000 RCX: 0000000000000101
> [ 5789.302378] RDX: 0000000000000000 RSI: ffff97623b6ca828 RDI: ffff97621ef10828
> [ 5789.304655] RBP: ffff97621ef10828 R08: ffff97621ef10828 R09: 0000000000000000
> [ 5789.306891] R10: 0000000000000000 R11: 0000000000000000 R12: ffff97623b6ca838
> [ 5789.309065] R13: ffffffffbb3fef50 R14: ffff97623b6ca828 R15: 0000000000000000
> [ 5789.311291] FS: 00007f7a5c31d740(0000) GS:ffff97623bb00000(0000) knlGS:0000000000000000
> [ 5789.314101] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 5789.316196] CR2: 0000000000000000 CR3: 000000011255a000 CR4: 00000000000006e0
> [ 5789.318580] Call Trace:
> [ 5789.319770] unlink_file_vma+0x3b/0x50
> [ 5789.321287] free_pgtables+0xa1/0x110
> [ 5789.322812] exit_mmap+0xca/0x1a0
> [ 5789.324185] ? mlx5_ib_dealloc_pd+0x28/0x30 [mlx5_ib]
> [ 5789.325978] mmput+0x54/0x140
> [ 5789.327364] uverbs_user_mmap_disassociate+0xcc/0x160 [ib_uverbs]
> [ 5789.329610] uverbs_destroy_ufile_hw+0xf7/0x120 [ib_uverbs]
> [ 5789.331559] ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
> [ 5789.333684] ib_unregister_device+0xfb/0x200 [ib_core]
> [ 5789.335452] mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
> [ 5789.337235] mlx5_remove_device+0xc1/0xd0 [mlx5_core]
> [ 5789.339170] mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
> [ 5789.340987] remove_one+0x2a/0x90 [mlx5_core]
> [ 5789.342766] pci_device_remove+0x3b/0xc0
> [ 5789.344310] device_release_driver_internal+0x16d/0x240
> [ 5789.346102] unbind_store+0xb2/0x100
> [ 5789.347502] kernfs_fop_write+0x102/0x180
> [ 5789.349050] __vfs_write+0x36/0x1a0
> [ 5789.350446] ? __alloc_fd+0xa9/0x170
> [ 5789.351928] ? set_close_on_exec+0x49/0x70
> [ 5789.353571] vfs_write+0xad/0x1a0
> [ 5789.355019] ksys_write+0x52/0xc0
> [ 5789.356386] do_syscall_64+0x5b/0x180
> [ 5789.357868] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 5789.359740] RIP: 0033:0x7f7a5ba1ac60
> [ 5789.361088] Code: 73 01 c3 48 8b 0d 30 62 2d 00 f7 d8 64 89 01 48 83
> c8 ff c3 66 0f 1f 44 00 00 83 3d 3d c3 2d 00 00 75 10 b8 01 00 00 00 0f
> 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee cb 01 00 48 89 04 24
> [ 5789.366692] RSP: 002b:00007ffecde8fda8 EFLAGS: 00000246 ORIG_RAX:0000000000000001
> [ 5789.368992] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f7a5ba1ac60
> [ 5789.371287] RDX: 000000000000000d RSI: 00007f7a5c345000 RDI: 0000000000000001
> [ 5789.373553] RBP: 00007f7a5c345000 R08: 000000000000000a R09: 00007f7a5c31d740
> [ 5789.375733] R10: 00007f7a5c31d740 R11: 0000000000000246 R12: 00007f7a5bcf2400
> [ 5789.377869] R13: 000000000000000d R14: 0000000000000001 R15: 0000000000000000
> [ 5789.380193] Modules linked in: netconsole rdma_ucm rdma_cm iw_cm
> ib_ipoib ib_cm ib_umad mlx5_ib(OE) mlx5_core(OE) mlxfw mlx4_en mlx4_ib
> ib_uverbs(OE) ib_core mlx4_core devlink nfsv3 nfs_acl rpcsec_gss_krb5
> auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache ipmi_devintf
> ipmi_msghandler sunrpc dm_mirror dm_region_hash dm_log dm_mod
> crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel
> crypto_simd cryptd glue_helper joydev pcspkr virtio_balloon sg i2c_piix4
> ip_tables ext4 mbcache jbd2 sd_mod ata_generic pata_acpi cirrus
> drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
> virtio_net ata_piix net_failover failover libata virtio_console i2c_core
> crc32c_intel virtio_pci serio_raw virtio_ring virtio floppy [last
> unloaded: netconsole]
> [ 5789.403184] CR2: 0000000000000000
>
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.19
> Fixes: 5f9794dc94f5 ("RDMA/ucontext: Add a core API for mmaping driver IO memory")
> Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> drivers/infiniband/core/uverbs_main.c | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
Applied to for-rc
Thanks,
Jason
