linux/drivers/infiniband/core
Yishai Hadas 7b21b69ab2 IB/uverbs: Fix OOPs in uverbs_user_mmap_disassociate
The vma->vm_mm can become impossible to get before rdma_umap_close() is
called, in this case we must not try to get an mm that is already
undergoing process exit. In this case there is no need to wait for
anything as the VMA will be destroyed by another thread soon and is
already effectively 'unreachable' by userspace.

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 800000012bc50067 P4D 800000012bc50067 PUD 129db5067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 1 PID: 2050 Comm: bash Tainted: G        W  OE 4.20.0-rc6+ #3
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:__rb_erase_color+0xb9/0x280
 Code: 84 17 01 00 00 48 3b 68 10 0f 84 15 01 00 00 48 89
               58 08 48 89 de 48 89 ef 4c 89 e3 e8 90 84 22 00 e9 60 ff ff ff 48 8b 5d
               10 <f6> 03 01 0f 84 9c 00 00 00 48 8b 43 10 48 85 c0 74 09 f6 00 01 0f
 RSP: 0018:ffffbecfc090bab8 EFLAGS: 00010246
 RAX: ffff97616346cf30 RBX: 0000000000000000 RCX: 0000000000000101
 RDX: 0000000000000000 RSI: ffff97623b6ca828 RDI: ffff97621ef10828
 RBP: ffff97621ef10828 R08: ffff97621ef10828 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: ffff97623b6ca838
 R13: ffffffffbb3fef50 R14: ffff97623b6ca828 R15: 0000000000000000
 FS:  00007f7a5c31d740(0000) GS:ffff97623bb00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 000000011255a000 CR4: 00000000000006e0
 Call Trace:
  unlink_file_vma+0x3b/0x50
  free_pgtables+0xa1/0x110
  exit_mmap+0xca/0x1a0
  ? mlx5_ib_dealloc_pd+0x28/0x30 [mlx5_ib]
  mmput+0x54/0x140
  uverbs_user_mmap_disassociate+0xcc/0x160 [ib_uverbs]
  uverbs_destroy_ufile_hw+0xf7/0x120 [ib_uverbs]
  ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
  ib_unregister_device+0xfb/0x200 [ib_core]
  mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
  mlx5_remove_device+0xc1/0xd0 [mlx5_core]
  mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
  remove_one+0x2a/0x90 [mlx5_core]
  pci_device_remove+0x3b/0xc0
  device_release_driver_internal+0x16d/0x240
  unbind_store+0xb2/0x100
  kernfs_fop_write+0x102/0x180
  __vfs_write+0x36/0x1a0
  ? __alloc_fd+0xa9/0x170
  ? set_close_on_exec+0x49/0x70
  vfs_write+0xad/0x1a0
  ksys_write+0x52/0xc0
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Cc: <stable@vger.kernel.org> # 4.19
Fixes: 5f9794dc94 ("RDMA/ucontext: Add a core API for mmaping driver IO memory")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-01-29 13:57:22 -07:00
..
addr.c RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c RDMA/core: Delete RoCE GID in hw when corresponding IP is deleted 2018-12-18 14:16:44 -07:00
cgroup.c
cm_msgs.h IB/cm: Remove unused and erroneous msg sequence encoding 2018-07-09 11:39:28 -06:00
cm.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
cma_configfs.c RDMA/cma: Move cma module specific functions to cma_priv.h 2018-11-22 11:57:33 -07:00
cma_priv.h RDMA/cma: Move cma module specific functions to cma_priv.h 2018-11-22 11:57:33 -07:00
cma.c RDMA/cma: Add cm_id restrack resource based on kernel or user cm_id type 2019-01-08 17:12:33 -07:00
core_priv.h RDMA/device: Expose ib_device_try_get(() 2019-01-21 14:33:08 -07:00
cq.c RDMA/restrack: Resource-tracker should not use uobject pointers 2018-12-18 15:38:26 -07:00
device.c RDMA/device: Expose ib_device_try_get(() 2019-01-21 14:33:08 -07:00
fmr_pool.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
iwcm.c RDMA/iwcm: Don't copy past the end of dev_name() string 2018-12-20 20:45:56 -07:00
iwcm.h
iwpm_msg.c
iwpm_util.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
iwpm_util.h
mad_priv.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
Makefile RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers 2018-12-18 14:12:48 -05:00
mr_pool.c
multicast.c IB: Make ib_init_ah_from_mcmember set sgid_attr 2018-06-25 14:19:56 -06:00
netlink.c RDMA/netlink: Simplify netlink listener existence check 2018-10-03 16:06:07 -06:00
nldev.c RDMA/nldev: Don't expose unsafe global rkey to regular user 2019-01-07 13:35:57 -07:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
rdma_core.h RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT 2019-01-14 14:02:22 -07:00
restrack.c RDMA/restrack: Resource-tracker should not use uobject pointers 2018-12-18 15:38:26 -07:00
roce_gid_mgmt.c IB/core: Fix oops in netdev_next_upper_dev_rcu() 2018-12-12 12:14:49 -05:00
rw.c IB/core: Ensure we map P2P memory correctly in rdma_rw_ctx_[init|destroy]() 2018-10-17 12:18:20 -05:00
sa_query.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
security.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
ucm.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
ucma.c RDMA/ucma: Fix Spectre v1 vulnerability 2018-10-16 12:47:40 -04:00
ud_header.c
umem_odp.c RDMA/umem: Add missing initialization of owning_mm 2019-01-25 09:55:48 -07:00
umem.c RDMA/core: Acquire and release mmap_sem on page range 2018-09-27 12:40:20 -06:00
user_mad.c IB/umad: Start using dev_groups of class 2018-12-21 11:39:41 -07:00
uverbs_cmd.c RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT 2019-01-14 14:02:22 -07:00
uverbs_ioctl.c RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT 2019-01-14 14:02:22 -07:00
uverbs_main.c IB/uverbs: Fix OOPs in uverbs_user_mmap_disassociate 2019-01-29 13:57:22 -07:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_counters.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
uverbs_std_types_cq.c RDMA/restrack: Resource-tracker should not use uobject pointers 2018-12-18 15:38:26 -07:00
uverbs_std_types_device.c IB/uverbs: Fix ioctl query port to consider device disassociation 2019-01-25 11:58:06 -07:00
uverbs_std_types_dm.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
uverbs_std_types_flow_action.c RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
uverbs_std_types_mr.c IB/uverbs: Signedness bug in UVERBS_HANDLER() 2018-12-22 16:07:13 -07:00
uverbs_std_types.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
uverbs_uapi.c RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers 2018-12-18 14:12:48 -05:00
uverbs.h IB/core: Move query port to ioctl 2018-12-20 15:18:24 -07:00
verbs.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00