9a4467a6b2
The driver returns an error code for MR dereg, but frees the MR structure.
When the MR dereg is retried due to previous error, the system crashes as
the structure is already freed.
BUG: unable to handle kernel NULL pointer dereference at 00000000000001b8
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 7 PID: 12178 Comm: ib_send_bw Kdump: loaded Not tainted 4.18.0-124.el8.x86_64 #1
Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.1.10 03/10/2015
RIP: 0010:__dev_printk+0x2a/0x70
Code: 0f 1f 44 00 00 49 89 d1 48 85 f6 0f 84 f6 2b 00 00 4c 8b 46 70 4d 85 c0 75 04 4c 8b
46 10 48 8b 86 a8 00 00 00 48 85 c0 74 16 <48> 8b 08 0f be 7f 01 48 c7 c2 13 ac ac 83 83 ef 30 e9 10 fe ff ff
RSP: 0018:ffffaf7c04607a60 EFLAGS: 00010006
RAX: 00000000000001b8 RBX: ffffa0010c91c488 RCX: 0000000000000246
RDX: ffffaf7c04607a68 RSI: ffffa0010c91caa8 RDI: ffffffff83a788eb
RBP: ffffaf7c04607ac8 R08: 0000000000000000 R09: ffffaf7c04607a68
R10: 0000000000000000 R11: 0000000000000001 R12: ffffaf7c04607b90
R13: 000000000000000e R14: 0000000000000000 R15: 00000000ffffa001
FS: 0000146fa1f1cdc0(0000) GS:ffffa0012fac0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001b8 CR3: 000000007680a003 CR4: 00000000001606e0
Call Trace:
dev_err+0x6c/0x90
? dev_printk_emit+0x4e/0x70
bnxt_qplib_rcfw_send_message+0x594/0x660 [bnxt_re]
? dev_err+0x6c/0x90
bnxt_qplib_free_mrw+0x80/0xe0 [bnxt_re]
bnxt_re_dereg_mr+0x2e/0xd0 [bnxt_re]
ib_dereg_mr+0x2f/0x50 [ib_core]
destroy_hw_idr_uobject+0x20/0x70 [ib_uverbs]
uverbs_destroy_uobject+0x2e/0x170 [ib_uverbs]
__uverbs_cleanup_ufile+0x6e/0x90 [ib_uverbs]
uverbs_destroy_ufile_hw+0x61/0x130 [ib_uverbs]
ib_uverbs_close+0x1f/0x80 [ib_uverbs]
__fput+0xb7/0x230
task_work_run+0x8a/0xb0
do_exit+0x2da/0xb40
...
RIP: 0033:0x146fa113a387
Code: Bad RIP value.
RSP: 002b:00007fff945d1478 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02
RAX: 0000000000000000 RBX: 000055a248908d70 RCX: 0000000000000000
RDX: 0000146fa1f2b000 RSI: 0000000000000001 RDI: 000055a248906488
RBP: 000055a248909630 R08: 0000000000010000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000055a248906488
R13: 0000000000000001 R14: 0000000000000000 R15: 000055a2489095f0
Do not free the MR structures, when driver returns error to the stack.
Fixes:
|
||
---|---|---|
.. | ||
core | ||
hw | ||
sw | ||
ulp | ||
Kconfig | ||
Makefile |