[PATCH rdma-next] RDMA/rxe: Fix slab-out-bounda access which lead to kernel crash later

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Leon Romanovsky <leonro@xxxxxxxxxxxx>

[   80.194474] BUG: KASAN: slab-out-of-bounds in rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[   80.194852] Read of size 8 at addr ffff88805c01a608 by task ib_send_bw/573
[   80.195245]
[   80.195389] CPU: 24 PID: 573 Comm: ib_send_bw Not tainted 5.0.0-rc5+ #189
[   80.195772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   80.196436] Call Trace:
[   80.198760]  rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[   80.199603]  rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[   80.200210]  ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[   80.201522]  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[   80.202351]  ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[   80.198760]  rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[   80.199603]  rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[   80.200210]  ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[   80.201522]  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[   80.202351]  ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[   80.204980]  ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
[   80.206553]  ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
[   80.207298]  do_vfs_ioctl+0x193/0x1440
[   80.209126]  ksys_ioctl+0x3a/0x70
[   80.209266]  __x64_sys_ioctl+0x6f/0xb0
[   80.209415]  do_syscall_64+0x13f/0x570
[   80.210320]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   80.210508] RIP: 0033:0x7fa2399aa09b
[   80.210651] Code: 0f 1e fa 48 8b 05 ed bd 0c 00 64 c7 00 26 00 00 00
48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bd bd 0c 00 f7 d8 64 89 01  48
[   80.211272] RSP: 002b:00007ffce51e7c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   80.211567] RAX: ffffffffffffffda RBX: 00007ffce51e7cf0 RCX: 00007fa2399aa09b
[   80.211835] RDX: 00007ffce51e7d10 RSI: 00000000c0181b01 RDI: 0000000000000003
[   80.212133] RBP: 00007ffce51e7d28 R08: 0000000000000028 R09: 00007ffce51e7ea4
[   80.212409] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000023d6420
[   80.212693] R13: 00007ffce51e7cf0 R14: 00007ffce51e7eb8 R15: 0000000000000000
[   80.212972]
[   80.213066] Allocated by task 573:
[   80.213208]  __kasan_kmalloc.constprop.5+0xc1/0xd0
[   80.213392]  __kmalloc+0x161/0x310
[   80.213536]  rxe_mem_alloc+0x52/0x470 [rdma_rxe]
[   80.213719]  rxe_mem_init_user+0x113/0x740 [rdma_rxe]
[   80.213913]  rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[   80.214121]  ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[   80.214309]  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[   80.214584]  ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[   80.214769]  ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
[   80.214971]  ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
[   80.215156]  do_vfs_ioctl+0x193/0x1440
[   80.215296]  ksys_ioctl+0x3a/0x70
[   80.215435]  __x64_sys_ioctl+0x6f/0xb0
[   80.215572]  do_syscall_64+0x13f/0x570
[   80.215708]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   80.215886]
[   80.215995] Freed by task 0:
[   80.216134]  __kasan_slab_free+0x12e/0x180
[   80.216278]  kfree+0x10a/0x2c0
[   80.216445]  rcu_process_callbacks+0xa77/0x1260
[   80.216637]  __do_softirq+0x2ad/0xacb
[   80.216771]
[   80.216867] The buggy address belongs to the object at ffff88805c01a588
[   80.216867]  which belongs to the cache kmalloc-128 of size 128
[   80.217281] The buggy address is located 0 bytes to the right of
[   80.217281]  128-byte region [ffff88805c01a588, ffff88805c01a608)
[   80.217684] The buggy address belongs to the page:
[   80.217871] page:ffffea0001700600 count:1 mapcount:0 mapping:ffff8880648173c0 index:0xffff88805c018008 compound_mapcount: 0
[   80.218236] flags: 0x4000000000010200(slab|head)
[   80.218420] raw: 4000000000010200 ffffea0001786b08 ffff888064800990 ffff8880648173c0
[   80.218707] raw: ffff88805c018008 0000000000220011 00000001ffffffff 0000000000000000
[   80.218984] page dumped because: kasan: bad access detected
[   80.219166]
[   80.219261] Memory state around the buggy address:
[   80.219451]  ffff88805c01a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   80.219724]  ffff88805c01a580: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   80.220007] >ffff88805c01a600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   80.220275]                       ^
[   80.220418]  ffff88805c01a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   80.220689]  ffff88805c01a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb

Test scenario:
 ib_send_bw -x 1 -d rxe0 -a &
 ib_send_bw -x 1 -d rxe0 -a localhost

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Reported-by: Parav Pandit <parav@xxxxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
---
 drivers/infiniband/sw/rxe/rxe_mr.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index 42f0f25e396c..ec89fbd06c53 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -199,6 +199,12 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
 		buf = map[0]->buf;
 
 		for_each_sg_page(umem->sg_head.sgl, &sg_iter, umem->nmap, 0) {
+			if (num_buf >= RXE_BUF_PER_MAP) {
+				map++;
+				buf = map[0]->buf;
+				num_buf = 0;
+			}
+
 			vaddr = page_address(sg_page_iter_page(&sg_iter));
 			if (!vaddr) {
 				pr_warn("null vaddr\n");
@@ -211,11 +217,6 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
 			num_buf++;
 			buf++;
 
-			if (num_buf >= RXE_BUF_PER_MAP) {
-				map++;
-				buf = map[0]->buf;
-				num_buf = 0;
-			}
 		}
 	}
 
-- 
2.19.1




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux