linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Leon Romanovsky <leon@kernel.org>
To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@mellanox.com>
Cc: Leon Romanovsky <leonro@mellanox.com>,
	RDMA mailing list <linux-rdma@vger.kernel.org>,
	Guy Levi <guyle@mellanox.com>, Ido Kalir <idok@mellanox.com>,
	Jason Gunthorpe <jgg@ziepe.ca>, Majd Dibbiny <majd@mellanox.com>,
	Mark Zhang <markz@mellanox.com>, Moni Shoua <monis@mellanox.com>
Subject: [PATCH rdma-rc 1/8] IB/core: Fix NULL pointer dereference when bind QP to counter
Date: Thu, 15 Aug 2019 11:38:27 +0300	[thread overview]
Message-ID: <20190815083834.9245-2-leon@kernel.org> (raw)
In-Reply-To: <20190815083834.9245-1-leon@kernel.org>

From: Ido Kalir <idok@mellanox.com>

If QP is not visible to the pid, then we try to decrease its reference
count and return from the function before the QP pointer is
initialized. This lead to NULL pointer dereference.
Fix it by pass directly the res to the rdma_restract_put as arg instead of
&qp->res.

This fixes below call trace:
[ 5845.110329] BUG: kernel NULL pointer dereference, address:
00000000000000dc
[ 5845.120482] Oops: 0002 [#1] SMP PTI
[ 5845.129119] RIP: 0010:rdma_restrack_put+0x5/0x30 [ib_core]
[ 5845.169450] Call Trace:
[ 5845.170544]  rdma_counter_get_qp+0x5c/0x70 [ib_core]
[ 5845.172074]  rdma_counter_bind_qpn_alloc+0x6f/0x1a0 [ib_core]
[ 5845.173731]  nldev_stat_set_doit+0x314/0x330 [ib_core]
[ 5845.175279]  rdma_nl_rcv_msg+0xeb/0x1d0 [ib_core]
[ 5845.176772]  ? __kmalloc_node_track_caller+0x20b/0x2b0
[ 5845.178321]  rdma_nl_rcv+0xcb/0x120 [ib_core]
[ 5845.179753]  netlink_unicast+0x179/0x220
[ 5845.181066]  netlink_sendmsg+0x2d8/0x3d0
[ 5845.182338]  sock_sendmsg+0x30/0x40
[ 5845.183544]  __sys_sendto+0xdc/0x160
[ 5845.184832]  ? syscall_trace_enter+0x1f8/0x2e0
[ 5845.186209]  ? __audit_syscall_exit+0x1d9/0x280
[ 5845.187584]  __x64_sys_sendto+0x24/0x30
[ 5845.188867]  do_syscall_64+0x48/0x120
[ 5845.190097]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1bd8e0a9d0fd1 ("RDMA/counter: Allow manual mode configuration support")
Signed-off-by: Ido Kalir <idok@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
 drivers/infiniband/core/counters.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c
index b79890739a2c..955d061af06a 100644
--- a/drivers/infiniband/core/counters.c
+++ b/drivers/infiniband/core/counters.c
@@ -424,7 +424,7 @@ static struct ib_qp *rdma_counter_get_qp(struct ib_device *dev, u32 qp_num)
 	return qp;
 
 err:
-	rdma_restrack_put(&qp->res);
+	rdma_restrack_put(res);
 	return NULL;
 }
 
-- 
2.20.1


  reply	other threads:[~2019-08-15  8:38 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-15  8:38 [PATCH rdma-rc 0/8] Fixes for v5.3 Leon Romanovsky
2019-08-15  8:38 ` Leon Romanovsky [this message]
2019-08-15  8:38 ` [PATCH rdma-rc 2/8] RDMA/counters: Properly implement PID checks Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 3/8] RDMA/restrack: Rewrite PID namespace check to be reliable Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 4/8] RDMA/mlx5: Fix MR npages calculation for IB_ACCESS_HUGETLB Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 5/8] IB/mlx5: Consolidate use_umr checks into single function Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 6/8] IB/mlx5: Report and handle ODP support properly Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 7/8] IB/mlx5: Fix MR re-registration flow to use UMR properly Leon Romanovsky
2019-08-15  8:38 ` [PATCH rdma-rc 8/8] IB/mlx5: Block MR WR if UMR is not possible Leon Romanovsky
2019-08-15 19:29 ` [PATCH rdma-rc 0/8] Fixes for v5.3 Jason Gunthorpe
2019-08-15 20:26   ` Guy Levi(SW)
2019-08-20 16:56 ` Doug Ledford
2019-08-20 17:38   ` Jason Gunthorpe
2019-08-20 17:47     ` Doug Ledford

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190815083834.9245-2-leon@kernel.org \
    --to=leon@kernel.org \
    --cc=dledford@redhat.com \
    --cc=guyle@mellanox.com \
    --cc=idok@mellanox.com \
    --cc=jgg@mellanox.com \
    --cc=jgg@ziepe.ca \
    --cc=leonro@mellanox.com \
    --cc=linux-rdma@vger.kernel.org \
    --cc=majd@mellanox.com \
    --cc=markz@mellanox.com \
    --cc=monis@mellanox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).