On Mon, Feb 01, 2021 at 01:29:22PM +0200, Kamal Heib wrote:
> The size of tx_valid_cpus was calculated under the assumption that the
> numa nodes identifiers are continuous, which is not the case in all
> archs as this could lead to the following panic when trying to access an
> invalid tx_valid_cpus index, avoid the following panic by using
> nr_node_ids instead of num_online_nodes() to allocate the tx_valid_cpus
> size.
>
> Kernel attempted to read user page (8) - exploit attempt? (uid: 0)
> BUG: Kernel NULL pointer dereference on read at 0x00000008
> Faulting instruction address: 0xc0080000081b4a90
> Oops: Kernel access of bad area, sig: 11 [#1]
> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid drm_panel_orientation_quirks dm_mod
> CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- --- 5.11.0-0.rc4.129.eln108.ppc64le #2
> NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0
> REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X --------- --- (5.11.0-0.rc4.129.eln108.ppc64le)
> MSR: 9000000002009033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 44224882 XER: 00000000
> CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: 0
> GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 0000000000000040
> GPR04: c000000002023080 c000000012e1c300 000020072ad70000 0000000000000001
> GPR08: c000000001726068 0000000000000008 0000000000000008 c0080000081b5758
> GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 0000000000000000
> GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 00007fffcc09c5c8
> GPR20: 0000000000000008 0000000000000000 00000001590b2850 00000001590b1d30
> GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 0000000000100000
> GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 c0080000081bf608
> NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw]
> LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw]
> Call Trace:
> [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] (unreliable)
> [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 [siw]
> [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0
> [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350
> [c000000027fa7c90] [c00000000026a180] __do_sys_init_module+0x210/0x250
> [c000000027fa7db0] [c0000000000387e4] system_call_exception+0x134/0x230
> [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c
> Instruction dump:
> 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 7cc4302a
> 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad 40c2fff4
> ---[ end trace 813d4c362755dcfc ]---
>
> Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface")
> Signed-off-by: Kamal Heib <kamalheib1@xxxxxxxxx>
> Reviewed-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
> Tested-by: Yi Zhang <yi.zhang@xxxxxxxxxx>
> ---
> drivers/infiniband/sw/siw/siw_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-next, I think we are done for the -rcs now
Thanks
Jason
