linux_dsm_epyc7002/drivers/infiniband/hw/mlx5
Leon Romanovsky f3f134f526 RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory
The failure in rereg_mr flow caused to set garbage value (error value)
into mr->umem pointer. This pointer is accessed at the release stage
and it causes to the following crash.

There is not enough to simply change umem to point to NULL, because the
MR struct is needed to be accessed during MR deregistration phase, so
delay kfree too.

[    6.237617] BUG: unable to handle kernel NULL pointer dereference a 0000000000000228
[    6.238756] IP: ib_dereg_mr+0xd/0x30
[    6.239264] PGD 80000000167eb067 P4D 80000000167eb067 PUD 167f9067 PMD 0
[    6.240320] Oops: 0000 [#1] SMP PTI
[    6.240782] CPU: 0 PID: 367 Comm: dereg Not tainted 4.16.0-rc1-00029-gc198fafe0453 #183
[    6.242120] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[    6.244504] RIP: 0010:ib_dereg_mr+0xd/0x30
[    6.245253] RSP: 0018:ffffaf5d001d7d68 EFLAGS: 00010246
[    6.246100] RAX: 0000000000000000 RBX: ffff95d4172daf00 RCX: 0000000000000000
[    6.247414] RDX: 00000000ffffffff RSI: 0000000000000001 RDI: ffff95d41a317600
[    6.248591] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[    6.249810] R10: ffff95d417033c10 R11: 0000000000000000 R12: ffff95d4172c3a80
[    6.251121] R13: ffff95d4172c3720 R14: ffff95d4172c3a98 R15: 00000000ffffffff
[    6.252437] FS:  0000000000000000(0000) GS:ffff95d41fc00000(0000) knlGS:0000000000000000
[    6.253887] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.254814] CR2: 0000000000000228 CR3: 00000000172b4000 CR4: 00000000000006b0
[    6.255943] Call Trace:
[    6.256368]  remove_commit_idr_uobject+0x1b/0x80
[    6.257118]  uverbs_cleanup_ucontext+0xe4/0x190
[    6.257855]  ib_uverbs_cleanup_ucontext.constprop.14+0x19/0x40
[    6.258857]  ib_uverbs_close+0x2a/0x100
[    6.259494]  __fput+0xca/0x1c0
[    6.259938]  task_work_run+0x84/0xa0
[    6.260519]  do_exit+0x312/0xb40
[    6.261023]  ? __do_page_fault+0x24d/0x490
[    6.261707]  do_group_exit+0x3a/0xa0
[    6.262267]  SyS_exit_group+0x10/0x10
[    6.262802]  do_syscall_64+0x75/0x180
[    6.263391]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[    6.264253] RIP: 0033:0x7f1b39c49488
[    6.264827] RSP: 002b:00007ffe2de05b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[    6.266049] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1b39c49488
[    6.267187] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[    6.268377] RBP: 00007f1b39f258e0 R08: 00000000000000e7 R09: ffffffffffffff98
[    6.269640] R10: 00007f1b3a147260 R11: 0000000000000246 R12: 00007f1b39f258e0
[    6.270783] R13: 00007f1b39f2ac20 R14: 0000000000000000 R15: 0000000000000000
[    6.271943] Code: 74 07 31 d2 e9 25 d8 6c 00 b8 da ff ff ff c3 0f 1f
44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 07 53 48 8b
5f 08 <48> 8b 80 28 02 00 00 e8 f7 d7 6c 00 85 c0 75 04 3e ff 4b 18 5b
[    6.274927] RIP: ib_dereg_mr+0xd/0x30 RSP: ffffaf5d001d7d68
[    6.275760] CR2: 0000000000000228
[    6.276200] ---[ end trace a35641f1c474bd20 ]---

Fixes: e126ba97db ("mlx5: Add driver for Mellanox Connect-IB adapters")
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-03-14 15:37:53 -04:00
..
ah.c IB: Let ib_core resolve destination mac address 2017-10-18 12:10:36 -04:00
cmd.c IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cmd.h IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cong.c IB/mlx5: Change debugfs to have per port contents 2018-01-08 11:42:22 -07:00
cq.c RDMA/mlx5: Fix integer overflow while resizing CQ 2018-03-09 18:10:48 -05:00
doorbell.c IB/mlx5: Fix Mellanox copyright note 2015-04-02 16:33:42 -04:00
gsi.c IB/mlx5: Fix iteration overrun in GSI qps 2016-08-02 14:32:51 -04:00
ib_virt.c IB/mlx5: Restore IB guid/policy for virtual functions 2017-07-24 10:34:28 -04:00
Kconfig net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality 2015-05-30 18:24:51 -07:00
mad.c IB/mlx5: Route MADs for dual port RoCE 2018-01-08 11:42:23 -07:00
main.c IB/mlx5: When not in dual port RoCE mode, use provided port as native 2018-03-06 20:08:38 -07:00
Makefile IB/mlx5: Add debug control parameters for congestion control 2017-07-24 10:34:28 -04:00
mem.c IB/mlx5: Simplify mlx5_ib_cont_pages 2017-09-25 11:47:24 -04:00
mlx5_ib.h RDMA: Move enum ib_cq_creation_flags to uapi headers 2018-01-29 12:58:34 -07:00
mr.c RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory 2018-03-14 15:37:53 -04:00
odp.c IB/mlx5: Move locks initialization to the corresponding stage 2018-01-03 17:26:59 -07:00
qp.c IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq 2018-03-13 16:30:21 -04:00
srq.c IB/mlx5: Fix integer overflows in mlx5_ib_create_srq 2018-03-13 16:31:21 -04:00