github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-01 19:13:47 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
378c67413d
linux/drivers/infiniband/core
History
Leon Romanovsky 6cd7397d01 RDMA/core: Set send and receive CQ before forwarding to the driver 
Preset both receive and send CQ pointers prior to call to the drivers and
overwrite it later again till the mlx4 is going to be changed do not
overwrite ibqp properties.

This change is needed for mlx5, because in case of QP creation failure, it
will go to the path of QP destroy which relies on proper CQ pointers.

 BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]
 Write of size 8 at addr ffff8880064c55c0 by task a.out/246

 CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 Call Trace:
  dump_stack_lvl+0x45/0x59
  print_address_description.constprop.0+0x1f/0x140
  kasan_report.cold+0x83/0xdf
  create_qp.cold+0x164/0x16e [mlx5_ib]
  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]
  create_qp.part.0+0x45b/0x6a0 [ib_core]
  ib_create_qp_user+0x97/0x150 [ib_core]
  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]
  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]
  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]
  __x64_sys_ioctl+0x866/0x14d0
  do_syscall_64+0x3d/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Allocated by task 246:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0xa4/0xd0
  create_qp.part.0+0x92/0x6a0 [ib_core]
  ib_create_qp_user+0x97/0x150 [ib_core]
  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]
  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]
  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]
  __x64_sys_ioctl+0x866/0x14d0
  do_syscall_64+0x3d/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Freed by task 246:
  kasan_save_stack+0x1b/0x40
  kasan_set_track+0x1c/0x30
  kasan_set_free_info+0x20/0x30
  __kasan_slab_free+0x10c/0x150
  slab_free_freelist_hook+0xb4/0x1b0
  kfree+0xe7/0x2a0
  create_qp.part.0+0x52b/0x6a0 [ib_core]
  ib_create_qp_user+0x97/0x150 [ib_core]
  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]
  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]
  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]
  __x64_sys_ioctl+0x866/0x14d0
  do_syscall_64+0x3d/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 514aee660d ("RDMA: Globally allocate and release QP memory")
Link: https://lore.kernel.org/r/2dbb2e2cbb1efb188a500e5634be1d71956424ce.1636631035.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2021-11-16 13:16:50 -04:00
..
addr.c RDMA/addr: Be strict with gid size 2021-04-08 16:14:56 -03:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h IB/mad: Add final OPA MAD processing 2015-06-12 14:49:18 -04:00
cache.c IB/core: Shifting initialization of device->cache_lock 2021-07-16 10:57:28 -03:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm_msgs.h RDMA/core: Add necessary spaces 2021-04-12 14:52:22 -03:00
cm_trace.c RDMA/cm: Replace pr_debug() call sites with tracepoints 2020-08-24 19:41:41 -03:00
cm_trace.h RDMA/cm: Add tracepoints to track MAD send operations 2020-08-24 19:41:41 -03:00
cm.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
cma_configfs.c RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
cma_priv.h RDMA/cma: Split apart the multiple uses of the same list heads 2021-10-04 16:07:39 -03:00
cma_trace.c RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma_trace.h RDMA/core: Move the rdma_show_ib_cm_event() macro 2020-08-24 16:01:47 -03:00
cma.c RDMA/cma: Split apart the multiple uses of the same list heads 2021-10-04 16:07:39 -03:00
core_priv.h RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
counters.c RDMA/counter: Add optional counter support 2021-10-12 12:48:05 -03:00
cq.c RDMA/core: Clean up cq pool mechanism 2020-12-10 15:05:17 -04:00
device.c RDMA/counter: Add optional counter support 2021-10-12 12:48:05 -03:00
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c RDMA/iwcm: Release resources if iw_cm module initialization fails 2021-07-30 10:01:40 -03:00
iwcm.h RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private 2021-06-08 14:35:44 -03:00
iwpm_msg.c RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
iwpm_util.c RDMA/iwpm: Remove redundant initialization of pointer err_str 2021-10-12 13:11:46 -03:00
iwpm_util.h RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
lag.c RDMA/core: Consider flow label when building skb 2020-05-06 16:51:43 -03:00
mad_priv.h RDMA/core: Remove refcount from struct ib_mad_snoop_private 2021-06-08 14:43:28 -03:00
mad_rmpp.c RDMA/core: Remove redundant spaces 2021-04-12 14:56:48 -03:00
mad_rmpp.h
mad.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
Makefile RDMA/umem: Support importing dma-buf as user memory region 2021-01-20 16:07:52 -04:00
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c RDMA/core: Use refcount_t instead of atomic_t on refcount of mcast_port 2021-06-08 14:45:07 -03:00
netlink.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
nldev.c RDMA/nldev: Allow optional-counter status configuration through RDMA netlink 2021-10-12 12:48:06 -03:00
opa_smi.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
packer.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
rdma_core.c RDMA/core: Correct misspellings of two words in comments 2021-03-26 11:58:26 -03:00
rdma_core.h IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
restrack.c RDMA: Globally allocate and release QP memory 2021-08-03 13:44:27 -03:00
restrack.h RDMA/restrack: Improve readability in task name management 2020-09-22 19:47:35 -03:00
roce_gid_mgmt.c RDMA: Fix kernel-doc warnings about wrong comment 2021-06-21 20:32:50 -03:00
rw.c RDMA/rw: switch to dma_map_sgtable() 2021-10-05 14:49:58 -03:00
sa_query.c Linux 5.15 2021-11-01 14:49:20 -03:00
sa.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
security.c IB/core: Removed port validity check from ib_get_cached_subnet_prefix 2021-06-21 20:49:32 -03:00
smi.c RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
smi.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
sysfs.c RDMA/core: Fix missed initialization of rdma_hw_stats::lock 2021-10-28 08:58:26 -03:00
trace.c RDMA/core: Clean up tracepoint headers 2020-07-06 14:54:46 -03:00
ucma.c RDMA/core: Use the DEVICE_ATTR_RO macro 2021-05-28 20:39:51 -03:00
ud_header.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
umem_dmabuf.c Char/Misc driver update for 5.16-rc1 2021-11-04 08:21:47 -07:00
umem_odp.c IB/core: Remove deprecated current_seq comments 2021-08-23 13:43:08 -03:00
umem.c RDMA: Use the sg_table directly and remove the opencoded version from umem 2021-08-24 19:52:40 -03:00
user_mad.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
uverbs_cmd.c RDMA/core: Require the driver to set the IOVA correctly during rereg_mr 2021-11-03 09:37:52 -03:00
uverbs_ioctl.c IB/core: Split uverbs_get_const/default to consider target type 2021-03-11 20:20:36 -04:00
uverbs_main.c RDMA/core: Use refcount_t instead of atomic_t on refcount of ib_uverbs_device 2021-06-08 15:04:36 -03:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c RDMA/core: Make FD destroy callback void 2020-11-12 12:32:17 -04:00
uverbs_std_types_counters.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_cq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_device.c RDMA/uverbs: Fix a NULL vs IS_ERR() bug 2021-05-19 15:32:07 -03:00
uverbs_std_types_dm.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_flow_action.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_mr.c RDMA/uverbs: Track dmabuf memory regions 2021-08-19 09:59:53 -03:00
uverbs_std_types_qp.c RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
uverbs_std_types_srq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_wq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types.c RDMA/core: Make FD destroy callback void 2020-11-12 12:32:17 -04:00
uverbs_uapi.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
uverbs.h RDMA/core: Use refcount_t instead of atomic_t on refcount of ib_uverbs_device 2021-06-08 15:04:36 -03:00
verbs.c RDMA/core: Set send and receive CQ before forwarding to the driver 2021-11-16 13:16:50 -04:00