leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3540669761
linux/drivers/infiniband/core
History
Maor Gottlieb 87c4c774cb RDMA/cm: Protect access to remote_sidr_table 
cm.lock must be held while accessing remote_sidr_table. This fixes the
below NULL pointer dereference.

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 0 P4D 0
  Oops: 0002 [#1] SMP PTI
  CPU: 2 PID: 7288 Comm: udaddy Not tainted 5.7.0_for_upstream_perf_2020_06_09_15_14_20_38 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:rb_erase+0x10d/0x360
  Code: 00 00 00 48 89 c1 48 89 d0 48 8b 50 08 48 39 ca 74 48 f6 02 01 75 af 48 8b 7a 10 48 89 c1 48 83 c9 01 48 89 78 08 48 89 42 10 <48> 89 0f 48 8b 08 48 89 0a 48 83 e1 fc 48 89 10 0f 84 b1 00 00 00
  RSP: 0018:ffffc90000f77c30 EFLAGS: 00010086
  RAX: ffff8883df27d458 RBX: ffff8883df27da58 RCX: ffff8883df27d459
  RDX: ffff8883d183fa58 RSI: ffffffffa01e8d00 RDI: 0000000000000000
  RBP: ffff8883d62ac800 R08: 0000000000000000 R09: 00000000000000ce
  R10: 000000000000000a R11: 0000000000000000 R12: ffff8883df27da00
  R13: ffffc90000f77c98 R14: 0000000000000130 R15: 0000000000000000
  FS:  00007f009f877740(0000) GS:ffff8883f1a00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 00000003d467e003 CR4: 0000000000160ee0
  Call Trace:
   cm_send_sidr_rep_locked+0x15a/0x1a0 [ib_cm]
   ib_send_cm_sidr_rep+0x2b/0x50 [ib_cm]
   cma_send_sidr_rep+0x8b/0xe0 [rdma_cm]
   __rdma_accept+0x21d/0x2b0 [rdma_cm]
   ? ucma_get_ctx+0x2b/0xe0 [rdma_ucm]
   ? _copy_from_user+0x30/0x60
   ucma_accept+0x13e/0x1e0 [rdma_ucm]
   ucma_write+0xb4/0x130 [rdma_ucm]
   vfs_write+0xad/0x1a0
   ksys_write+0x9d/0xb0
   do_syscall_64+0x48/0x130
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7f009ef60924
  Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00 00 8b 05 2a ef 2c 00 48 63 ff 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 55 53 48 89 d5 48 89 f3 48 83
  RSP: 002b:00007fff843edf38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000055743042e1d0 RCX: 00007f009ef60924
  RDX: 0000000000000130 RSI: 00007fff843edf40 RDI: 0000000000000003
  RBP: 00007fff843ee0e0 R08: 0000000000000000 R09: 0000557430433090
  R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
  R13: 00007fff843edf40 R14: 000000000000038c R15: 00000000ffffff00
  CR2: 0000000000000000

Fixes: 6a8824a74b ("RDMA/cm: Allow ib_send_cm_sidr_rep() to be done under lock")
Link: https://lore.kernel.org/r/20200716105519.1424266-1-leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2020-07-16 09:58:53 -03:00
..
addr.c RDMA/addr: Mark addr_resolve as might_sleep() 2020-05-12 21:32:52 -03:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c IB/core: Fix potential NULL pointer dereference in pkey cache 2020-05-12 11:47:48 -03:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm_msgs.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cm.c RDMA/cm: Protect access to remote_sidr_table 2020-07-16 09:58:53 -03:00
cma_configfs.c IB/cma: Fix ports memory leak in cma_configfs 2020-05-22 15:37:19 -03:00
cma_priv.h RDMA/ucma: Extend ucma_connect to receive ECE parameters 2020-05-27 16:05:05 -03:00
cma_trace.c RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma_trace.h RDMA/core: Move and rename trace_cm_id_create() 2020-06-02 20:32:54 -03:00
cma.c RDMA/cma: Protect bind_list and listen_list while finding matching cm id 2020-06-18 09:48:54 -03:00
core_priv.h RDMA/core: Introduce shared CQ pool API 2020-05-29 16:09:02 -03:00
counters.c RDMA/counter: Query a counter before release 2020-06-22 14:36:56 -03:00
cq.c RDMA/core: Introduce shared CQ pool API 2020-05-29 16:09:02 -03:00
device.c RDMA/core: Remove FMR device ops 2020-06-02 20:32:54 -03:00
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c RDMA/iwcm: Fix iwcm work deallocation 2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.h infiniband: fix core/ipwm_util.h kernel-doc warnings 2019-10-22 14:45:31 -03:00
lag.c RDMA/core: Consider flow label when building skb 2020-05-06 16:51:43 -03:00
mad_priv.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c IB/mad: Fix use after free when destroying MAD agent 2020-06-22 14:57:44 -03:00
Makefile RDMA/core: Remove FMR pool API 2020-06-02 20:32:53 -03:00
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c RDMA: Allow ib_client's to fail when add() is called 2020-05-06 11:57:33 -03:00
netlink.c IB/core: Avoid deadlock during netlink message handling 2019-10-24 20:49:37 -03:00
nldev.c RDMA/core: Fix double put of resource 2020-05-12 11:47:48 -03:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA/core: Fix race in rdma_alloc_commit_uobject() 2020-07-16 09:58:53 -03:00
rdma_core.h IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
restrack.c RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
restrack.h RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c drivers: use in_dev_for_each_ifa_rtnl/rcu 2019-06-02 18:06:26 -07:00
rw.c RDMA/rw: use DIV_ROUND_UP to calculate nr_ops 2020-04-15 11:34:49 -03:00
sa_query.c IB/sa: Resolv use-after-free in ib_nl_make_request() 2020-07-02 16:05:12 -03:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
security.c RDMA/core: Ensure security pkey modify is not lost 2020-03-24 19:53:25 -03:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA/core: Fix several reference count leaks. 2020-05-29 15:35:49 -03:00
trace.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
ucma.c RDMA/cma: Provide ECE reject reason 2020-05-27 16:05:05 -03:00
ud_header.c RDMA/core: Use sizeof_field() helper 2020-05-27 13:46:05 -03:00
umem_odp.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
umem.c RDMA/core: Add weak ordering dma attr to dma mapping 2020-02-13 13:38:02 -04:00
user_mad.c RDMA: Allow ib_client's to fail when add() is called 2020-05-06 11:57:33 -03:00
uverbs_cmd.c RDMA: Remove 'max_map_per_fmr' 2020-06-02 20:32:54 -03:00
uverbs_ioctl.c RDMA/core: Use sizeof_field() helper 2020-05-27 13:46:05 -03:00
uverbs_main.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj 2020-05-12 17:02:25 -03:00
uverbs_std_types_counters.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c IB/uverbs: Extend CQ to get its own asynchronous event FD 2020-05-21 20:34:53 -03:00
uverbs_std_types_device.c RDMA/core: Add the core support field to METHOD_GET_CONTEXT 2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c RDMA/core: Allow the ioctl layer to abort a fully created uobject 2020-05-21 20:10:46 -03:00
uverbs_std_types_qp.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
uverbs_std_types_srq.c IB/uverbs: Introduce create/destroy SRQ commands over ioctl 2020-05-21 20:39:35 -03:00
uverbs_std_types_wq.c IB/uverbs: Introduce create/destroy WQ commands over ioctl 2020-05-21 20:39:35 -03:00
uverbs_std_types.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
uverbs_uapi.c IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
uverbs.h IB/uverbs: Extend CQ to get its own asynchronous event FD 2020-05-21 20:34:53 -03:00
verbs.c RDMA/core: Remove FMR device ops 2020-06-02 20:32:54 -03:00