linux/drivers/infiniband/hw/mlx5
Leon Romanovsky 75a4598209 RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs
mlx5 modify_qp() relies on FW that the error will be thrown if wrong
state is supplied. The missing check in FW causes the following crash
while using XRC_TGT QPs.

[   14.769632] BUG: unable to handle kernel NULL pointer dereference at (null)
[   14.771085] IP: mlx5_ib_modify_qp+0xf60/0x13f0
[   14.771894] PGD 800000001472e067 P4D 800000001472e067 PUD 14529067 PMD 0
[   14.773126] Oops: 0002 [#1] SMP PTI
[   14.773763] CPU: 0 PID: 365 Comm: ubsan Not tainted 4.16.0-rc1-00038-g8151138c0793 #119
[   14.775192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[   14.777522] RIP: 0010:mlx5_ib_modify_qp+0xf60/0x13f0
[   14.778417] RSP: 0018:ffffbf48001c7bd8 EFLAGS: 00010246
[   14.779346] RAX: 0000000000000000 RBX: ffff9a8f9447d400 RCX: 0000000000000000
[   14.780643] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000000
[   14.781930] RBP: 0000000000000000 R08: 00000000000217b0 R09: ffffffffbc9c1504
[   14.783214] R10: fffff4a180519480 R11: ffff9a8f94523600 R12: ffff9a8f9493e240
[   14.784507] R13: ffff9a8f9447d738 R14: 000000000000050a R15: 0000000000000000
[   14.785800] FS:  00007f545b466700(0000) GS:ffff9a8f9fc00000(0000) knlGS:0000000000000000
[   14.787073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   14.787792] CR2: 0000000000000000 CR3: 00000000144be000 CR4: 00000000000006b0
[   14.788689] Call Trace:
[   14.789007]  _ib_modify_qp+0x71/0x120
[   14.789475]  modify_qp.isra.20+0x207/0x2f0
[   14.790010]  ib_uverbs_modify_qp+0x90/0xe0
[   14.790532]  ib_uverbs_write+0x1d2/0x3c0
[   14.791049]  ? __handle_mm_fault+0x93c/0xe40
[   14.791644]  __vfs_write+0x36/0x180
[   14.792096]  ? handle_mm_fault+0xc1/0x210
[   14.792601]  vfs_write+0xad/0x1e0
[   14.793018]  SyS_write+0x52/0xc0
[   14.793422]  do_syscall_64+0x75/0x180
[   14.793888]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   14.794527] RIP: 0033:0x7f545ad76099
[   14.794975] RSP: 002b:00007ffd78787468 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
[   14.795958] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f545ad76099
[   14.797075] RDX: 0000000000000078 RSI: 0000000020009000 RDI: 0000000000000003
[   14.798140] RBP: 00007ffd78787470 R08: 00007ffd78787480 R09: 00007ffd78787480
[   14.799207] R10: 00007ffd78787480 R11: 0000000000000287 R12: 00005599ada98760
[   14.800277] R13: 00007ffd78787560 R14: 0000000000000000 R15: 0000000000000000
[   14.801341] Code: 4c 8b 1c 24 48 8b 83 70 02 00 00 48 c7 83 cc 02 00
00 00 00 00 00 48 c7 83 24 03 00 00 00 00 00 00 c7 83 2c 03 00 00 00 00
00 00 <c7> 00 00 00 00 00 48 8b 83 70 02 00 00 c7 40 04 00 00 00 00 4c
[   14.804012] RIP: mlx5_ib_modify_qp+0xf60/0x13f0 RSP: ffffbf48001c7bd8
[   14.804838] CR2: 0000000000000000
[   14.805288] ---[ end trace 3f1da0df5c8b7c37 ]---

Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-03-14 15:34:25 -04:00
..
ah.c IB: Let ib_core resolve destination mac address 2017-10-18 12:10:36 -04:00
cmd.c IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cmd.h IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cong.c IB/mlx5: Change debugfs to have per port contents 2018-01-08 11:42:22 -07:00
cq.c IB/mlx5: Implement fragmented completion queue (CQ) 2018-02-15 00:30:03 -08:00
doorbell.c
gsi.c IB/mlx5: Fix iteration overrun in GSI qps 2016-08-02 14:32:51 -04:00
ib_rep.c IB/mlx5: Add proper representors support 2018-02-23 12:36:39 -08:00
ib_rep.h IB/mlx5: Add proper representors support 2018-02-23 12:36:39 -08:00
ib_virt.c IB/mlx5: Restore IB guid/policy for virtual functions 2017-07-24 10:34:28 -04:00
Kconfig
mad.c IB/mlx5: Route MADs for dual port RoCE 2018-01-08 11:42:23 -07:00
main.c {net,IB}/mlx5: Add flow steering helpers 2018-03-06 22:20:14 -08:00
Makefile IB/mlx5: Add basic regiser/unregister representors code 2018-02-23 12:36:39 -08:00
mem.c IB/mlx5: Simplify mlx5_ib_cont_pages 2017-09-25 11:47:24 -04:00
mlx5_ib.h IB/mlx5: Add proper representors support 2018-02-23 12:36:39 -08:00
mr.c IB/mlx5: Don't expose MR cache in switchdev mode 2018-02-23 12:36:39 -08:00
odp.c IB/mlx5: Move locks initialization to the corresponding stage 2018-01-03 17:26:59 -07:00
qp.c RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs 2018-03-14 15:34:25 -04:00
srq.c IB/mlx5: Support IB_SRQT_TM 2017-08-29 08:30:20 -04:00