All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+36a7f280de4e11c6f04e@syzkaller.appspotmail.com,
	Leon Romanovsky <leonro@nvidia.com>,
	Zhu Yanjun <zyjzyj2000@gmail.com>,
	Jason Gunthorpe <jgg@nvidia.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 02/36] RDMA/rxe: Clear all QP fields if creation failed
Date: Mon, 24 May 2021 17:24:47 +0200	[thread overview]
Message-ID: <20210524152324.239833221@linuxfoundation.org> (raw)
In-Reply-To: <20210524152324.158146731@linuxfoundation.org>

From: Leon Romanovsky <leonro@nvidia.com>

[ Upstream commit 67f29896fdc83298eed5a6576ff8f9873f709228 ]

rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly
created ones, but in case rxe_qp_from_init() failed it was filled with
garbage and caused tot the following error.

  refcount_t: underflow; use-after-free.
  WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
  Modules linked in:
  CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
  Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
  RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67
  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
  R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800
  R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000
  FS:  00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   __refcount_sub_and_test include/linux/refcount.h:283 [inline]
   __refcount_dec_and_test include/linux/refcount.h:315 [inline]
   refcount_dec_and_test include/linux/refcount.h:333 [inline]
   kref_put include/linux/kref.h:64 [inline]
   rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805
   execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327
   rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391
   kref_put include/linux/kref.h:65 [inline]
   rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425
   _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]
   ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231
   ib_create_qp include/rdma/ib_verbs.h:3644 [inline]
   create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920
   ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]
   ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092
   add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717
   enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331
   ib_register_device drivers/infiniband/core/device.c:1413 [inline]
   ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365
   rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147
   rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247
   rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503
   rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]
   rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250
   nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555
   rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195
   rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
   rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259
   netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
   netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
   netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
   sock_sendmsg_nosec net/socket.c:654 [inline]
   sock_sendmsg+0xcf/0x120 net/socket.c:674
   ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
   ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
   __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
   do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/7bf8d548764d406dbbbaf4b574960ebfd5af8387.1620717918.git.leonro@nvidia.com
Reported-by: syzbot+36a7f280de4e11c6f04e@syzkaller.appspotmail.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Zhu Yanjun <zyjzyj2000@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/sw/rxe/rxe_qp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 186da467060c..5fa1442fd4f1 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -258,6 +258,7 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp,
 	if (err) {
 		vfree(qp->sq.queue->buf);
 		kfree(qp->sq.queue);
+		qp->sq.queue = NULL;
 		return err;
 	}
 
@@ -315,6 +316,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp,
 		if (err) {
 			vfree(qp->rq.queue->buf);
 			kfree(qp->rq.queue);
+			qp->rq.queue = NULL;
 			return err;
 		}
 	}
@@ -374,6 +376,11 @@ int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, struct rxe_pd *pd,
 err2:
 	rxe_queue_cleanup(qp->sq.queue);
 err1:
+	qp->pd = NULL;
+	qp->rcq = NULL;
+	qp->scq = NULL;
+	qp->srq = NULL;
+
 	if (srq)
 		rxe_drop_ref(srq);
 	rxe_drop_ref(scq);
-- 
2.30.2




  parent reply	other threads:[~2021-05-24 15:36 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-24 15:24 [PATCH 4.9 00/36] 4.9.270-rc1 review Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 01/36] openrisc: Fix a memory leak Greg Kroah-Hartman
2021-05-24 15:24 ` Greg Kroah-Hartman [this message]
2021-05-24 15:24 ` [PATCH 4.9 03/36] scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 04/36] ptrace: make ptrace() fail if the tracee changed its pid unexpectedly Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 05/36] cifs: fix memory leak in smb2_copychunk_range Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 06/36] ALSA: line6: Fix racy initialization of LINE6 MIDI Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 07/36] ALSA: usb-audio: Validate MS endpoint descriptors Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 08/36] ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 09/36] Revert "ALSA: sb8: add a check for request_region" Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 10/36] Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails" Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 11/36] rapidio: handle create_workqueue() failure Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 12/36] xen-pciback: reconfigure also from backend watch handler Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 13/36] dm snapshot: fix a crash when an origin has no snapshots Greg Kroah-Hartman
2021-05-24 15:24 ` [PATCH 4.9 14/36] dm snapshot: fix crash with transient storage and zero chunk size Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 15/36] Revert "video: hgafb: fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 16/36] Revert "net: stmicro: fix a missing check of clk_prepare" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 17/36] Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 18/36] Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 19/36] Revert "video: imsttfb: fix potential NULL pointer dereferences" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 20/36] Revert "ecryptfs: replace BUG_ON with error handling code" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 21/36] Revert "gdrom: fix a memory leak bug" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 22/36] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 23/36] cdrom: gdrom: initialize global variable at init time Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 24/36] Revert "rtlwifi: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 25/36] Revert "qlcnic: Avoid " Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 26/36] Revert "niu: fix missing checks of niu_pci_eeprom_read" Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 27/36] ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 28/36] net: stmicro: handle clk_prepare() failure during init Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 29/36] net: rtlwifi: properly check for alloc_workqueue() failure Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 30/36] leds: lp5523: check return value of lp5xx_read and jump to cleanup code Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 31/36] qlcnic: Add null check after calling netdev_alloc_skb Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 32/36] video: hgafb: fix potential NULL pointer dereference Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 33/36] vgacon: Record video mode changes with VT_RESIZEX Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 34/36] vt: Fix character height handling " Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 35/36] tty: vt: always invoke vc->vc_sw->con_resize callback Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 4.9 36/36] iio: tsl2583: Fix division by a zero lux_val Greg Kroah-Hartman
2021-05-24 22:26 ` [PATCH 4.9 00/36] 4.9.270-rc1 review Florian Fainelli
2021-05-25  0:19 ` Shuah Khan
2021-05-25  8:27 ` Jon Hunter
2021-05-25 12:26 ` Naresh Kamboju
2021-05-25 21:22 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210524152324.239833221@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jgg@nvidia.com \
    --cc=leonro@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+36a7f280de4e11c6f04e@syzkaller.appspotmail.com \
    --cc=zyjzyj2000@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.