On Mon, Oct 12, 2020 at 07:56:00AM +0300, Leon Romanovsky wrote:
> From: Maor Gottlieb <maorg@xxxxxxxxxx>
>
> ucma_free_ctx should call to __destroy_id on all the connection
> requests that have not been delivered to user space. Currently
> it calls on the context itself and cause to use after free.
>
> Fixes the below trace:
> BUG: Unable to handle kernel data access on write at
> 0x5deadbeef0000108
> Faulting instruction address: 0xc0080000002428f4
> Oops: Kernel access of bad area, sig: 11 [#1]
> Call Trace:
> [c000000207f2b680] [c00800000024280c] .__destroy_id+0x28c/0x610 [rdma_ucm] (unreliable)
> [c000000207f2b750] [c0080000002429c4] .__destroy_id+0x444/0x610 [rdma_ucm]
> [c000000207f2b820] [c008000000242c24] .ucma_close+0x94/0xf0 [rdma_ucm]
> [c000000207f2b8c0] [c00000000046fbdc] .__fput+0xac/0x330
> [c000000207f2b960] [c00000000015d48c] .task_work_run+0xbc/0x110
> [c000000207f2b9f0] [c00000000012fb00] .do_exit+0x430/0xc50
> [c000000207f2bae0] [c0000000001303ec] .do_group_exit+0x5c/0xd0
> [c000000207f2bb70] [c000000000144a34] .get_signal+0x194/0xe30
> [c000000207f2bc60] [c00000000001f6b4] .do_notify_resume+0x124/0x470
> [c000000207f2bd60] [c000000000032484]
> .interrupt_exit_user_prepare+0x1b4/0x240
> [c000000207f2be20] [c000000000010034] interrupt_return+0x14/0x1c0
> Instruction dump:
> 7d094378 3906ffe8 4082ffa8 3f205dea 3f405dea e95d0120 e91d0118
> 6339dbee
> 635adbee e93f0888 7b3907c6 7b5a07c6 <f9480008> 6739f000 f90a0000
> 675af000
> ---[ end trace 9796e2b012b61b83 ]---
>
> Fixes: a1d33b70dbbc ("RDMA/ucma: Rework how new connections are passed through event delivery")
> Signed-off-by: Maor Gottlieb <maorg@xxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
> ---
> drivers/infiniband/core/ucma.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
Don't word wrap oops messages
Applied to for-next
Thanks,
Jason
