From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AB8JxZoYZ56amk5dlJ00lzY10CMH9ju7cbwh5Pg/AzUPmRKH1cCnB2D1kBs2Xi8KX1JXQJxkvrMF ARC-Seal: i=1; a=rsa-sha256; t=1525767181; cv=none; d=google.com; s=arc-20160816; b=fPfDzOF7SCmaMWNL9QS8Uuc3GbOv/MQI128CiX2gTlJBjHG859lG1mLnK8kPL51MeY 204DnNUH/VgigBua7WZrDOlMq/RdVvtC1dj0Z+aJyXqIKaUaJe3CGZrOQNrxJKQ33hpM F/Sy6OfNrmDSCPsGkc6JLiC8xRnSV2wY4bDS6d3nvLSI/lwxgWMqOdtrcyB77Wd85H/R JTmdFm4xP7mbCVxt2V/JXudl1xTFfQZeX5hu8ZgTQ2FCR0FZMdmkD3zIDP+Jl3Se1NUy x3u9HbNr9fOtMcTcFVO36TI7esbIiQOPRiZlW8QIz36hQJGVPVE9pnlkvMThD3++LPhi vfPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=8ryuBBkxzQ5vO6y8mzYtAM6hXOeJ/GCaUwFl5IYgtr8=; b=v7uV0o5RHtGrLgVReqIq8DVVAPvxwl2tk+TnAlWEMf0Ofgxssx9UJ4PnMDG0TyB6Q8 TTlZde75HdPHoYnWpD1MCJqoE5b8bBJe+jIeviQei+6VGpKkXcuo9BL4tlFcwgsYBWHi DdDJgN4m70AcTb7drP9xSR3SbltHYuXDb4+/exUDoQHDEzs17GeCEiYqZ5M6rNurLykk utWcYv2qxtkVfZNmXfznLon00slRIUOrpecyvbzJhFbszq8AciZ2SC8WOFZvm1l6wD09 ha7/NAxsjZ0TsNLB3hcxocMdxROVMeWYosnc8S8BOdympjSgrDQmsWRi4tkIIq163iz2 tusg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qZzGyIvP; spf=pass (google.com: domain of srs0=4in3=h3=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=4In3=H3=linuxfoundation.org=gregkh@kernel.org Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qZzGyIvP; spf=pass (google.com: domain of srs0=4in3=h3=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=4In3=H3=linuxfoundation.org=gregkh@kernel.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzkaller , Noa Osherovich , Leon Romanovsky , Doug Ledford Subject: [PATCH 4.16 20/52] RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow Date: Tue, 8 May 2018 10:10:18 +0200 Message-Id: <20180508073930.729571948@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180508073928.058320984@linuxfoundation.org> References: <20180508073928.058320984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1599882847801858852?= X-GMAIL-MSGID: =?utf-8?q?1599882847801858852?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit b4bd701ac469075d94ed9699a28755f2862252b9 upstream. Failure in rereg MR releases UMEM but leaves the MR to be destroyed by the user. As a result the following scenario may happen: "create MR -> rereg MR with failure -> call to rereg MR again" and hit "NULL-ptr deref or user memory access" errors. Ensure that rereg MR is only performed on a non-dead MR. Cc: syzkaller Cc: # 4.5 Fixes: 395a8e4c32ea ("IB/mlx5: Refactoring register MR code") Reported-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/mlx5/mr.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) --- a/drivers/infiniband/hw/mlx5/mr.c +++ b/drivers/infiniband/hw/mlx5/mr.c @@ -836,25 +836,28 @@ static int mr_umem_get(struct ib_pd *pd, int *order) { struct mlx5_ib_dev *dev = to_mdev(pd->device); + struct ib_umem *u; int err; - *umem = ib_umem_get(pd->uobject->context, start, length, - access_flags, 0); - err = PTR_ERR_OR_ZERO(*umem); + *umem = NULL; + + u = ib_umem_get(pd->uobject->context, start, length, access_flags, 0); + err = PTR_ERR_OR_ZERO(u); if (err) { - *umem = NULL; - mlx5_ib_err(dev, "umem get failed (%d)\n", err); + mlx5_ib_dbg(dev, "umem get failed (%d)\n", err); return err; } - mlx5_ib_cont_pages(*umem, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages, + mlx5_ib_cont_pages(u, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages, page_shift, ncont, order); if (!*npages) { mlx5_ib_warn(dev, "avoid zero region\n"); - ib_umem_release(*umem); + ib_umem_release(u); return -EINVAL; } + *umem = u; + mlx5_ib_dbg(dev, "npages %d, ncont %d, order %d, page_shift %d\n", *npages, *ncont, *order, *page_shift); @@ -1343,13 +1346,12 @@ int mlx5_ib_rereg_user_mr(struct ib_mr * int access_flags = flags & IB_MR_REREG_ACCESS ? new_access_flags : mr->access_flags; - u64 addr = (flags & IB_MR_REREG_TRANS) ? virt_addr : mr->umem->address; - u64 len = (flags & IB_MR_REREG_TRANS) ? length : mr->umem->length; int page_shift = 0; int upd_flags = 0; int npages = 0; int ncont = 0; int order = 0; + u64 addr, len; int err; mlx5_ib_dbg(dev, "start 0x%llx, virt_addr 0x%llx, length 0x%llx, access_flags 0x%x\n", @@ -1357,6 +1359,17 @@ int mlx5_ib_rereg_user_mr(struct ib_mr * atomic_sub(mr->npages, &dev->mdev->priv.reg_pages); + if (!mr->umem) + return -EINVAL; + + if (flags & IB_MR_REREG_TRANS) { + addr = virt_addr; + len = length; + } else { + addr = mr->umem->address; + len = mr->umem->length; + } + if (flags != IB_MR_REREG_PD) { /* * Replace umem. This needs to be done whether or not UMR is @@ -1364,6 +1377,7 @@ int mlx5_ib_rereg_user_mr(struct ib_mr * */ flags |= IB_MR_REREG_TRANS; ib_umem_release(mr->umem); + mr->umem = NULL; err = mr_umem_get(pd, addr, len, access_flags, &mr->umem, &npages, &page_shift, &ncont, &order); if (err < 0) {