hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/drivers/infiniband/hw/mlx5
History
Leon Romanovsky 0a03715068 RDMA/mlx5: Set PD pointers for the error flow unwind 
ib_pd is accessed internally during destroy of the TIR/TIS, but PD
can be not set yet. This leading to the following kernel panic.

  BUG: kernel NULL pointer dereference, address: 0000000000000074
  PGD 8000000079eaa067 P4D 8000000079eaa067 PUD 7ae81067 PMD 0 Oops: 0000 [#1] SMP PTI
  CPU: 1 PID: 709 Comm: syz-executor.0 Not tainted 5.8.0-rc3 #41 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:destroy_raw_packet_qp_tis drivers/infiniband/hw/mlx5/qp.c:1189 [inline]
  RIP: 0010:destroy_raw_packet_qp drivers/infiniband/hw/mlx5/qp.c:1527 [inline]
  RIP: 0010:destroy_qp_common+0x2ca/0x4f0 drivers/infiniband/hw/mlx5/qp.c:2397
  Code: 00 85 c0 74 2e e8 56 18 55 ff 48 8d b3 28 01 00 00 48 89 ef e8 d7 d3 ff ff 48 8b 43 08 8b b3 c0 01 00 00 48 8b bd a8 0a 00 00 <0f> b7 50 74 e8 0d 6a fe ff e8 28 18 55 ff 49 8d 55 50 4c 89 f1 48
  RSP: 0018:ffffc900007bbac8 EFLAGS: 00010293
  RAX: 0000000000000000 RBX: ffff88807949e800 RCX: 0000000000000998
  RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88807c180140
  RBP: ffff88807b50c000 R08: 000000000002d379 R09: ffffc900007bba00
  R10: 0000000000000001 R11: 000000000002d358 R12: ffff888076f37000
  R13: ffff88807949e9c8 R14: ffffc900007bbe08 R15: ffff888076f37000
  FS:  00000000019bf940(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000074 CR3: 0000000076d68004 CR4: 0000000000360ee0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   mlx5_ib_create_qp+0xf36/0xf90 drivers/infiniband/hw/mlx5/qp.c:3014
   _ib_create_qp drivers/infiniband/core/core_priv.h:333 [inline]
   create_qp+0x57f/0xd20 drivers/infiniband/core/uverbs_cmd.c:1443
   ib_uverbs_create_qp+0xcf/0x100 drivers/infiniband/core/uverbs_cmd.c:1564
   ib_uverbs_write+0x5fa/0x780 drivers/infiniband/core/uverbs_main.c:664
   __vfs_write+0x3f/0x90 fs/read_write.c:495
   vfs_write+0xc7/0x1f0 fs/read_write.c:559
   ksys_write+0x5e/0x110 fs/read_write.c:612
   do_syscall_64+0x3e/0x70 arch/x86/entry/common.c:359
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x466479
  Code: Bad RIP value.
  RSP: 002b:00007ffd057b62b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000466479
  RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003
  RBP: 00000000019bf8fc R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
  R13: 0000000000000bf6 R14: 00000000004cb859 R15: 00000000006fefc0

Fixes: 6c41965d64 ("RDMA/mlx5: Don't access ib_qp fields in internal destroy QP path")
Link: https://lore.kernel.org/r/20200707110612.882962-4-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
 		2020-07-08 20:15:59 -03:00
..
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile RDMA/mlx5: Move all WR logic from qp.c to separate file 2020-05-06 17:42:45 -03:00
ah.c RDMA/mlx5: Set UDP source port based on the grh.flow_label 2020-05-06 16:51:44 -03:00
cmd.c RDMA/mlx5: Update mlx5_ib to use new cmd interface 2020-05-06 17:42:45 -03:00
cmd.h RDMA/mlx5: Update mlx5_ib to use new cmd interface 2020-05-06 17:42:45 -03:00
cong.c RDMA/mlx5: Update mlx5_ib to use new cmd interface 2020-05-06 17:42:45 -03:00
cq.c net/mlx5: Refactor imm_inval_pkey field in cqe struct 2020-04-28 12:45:15 -07:00
devx.c IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command 2020-05-27 15:53:21 -03:00
doorbell.c IB: Allow calls to ib_umem_get from kernel ULPs 2020-01-16 16:14:28 +02:00
flow.c Merge branch 'mellanox/mlx5-next' into rdma.git for/next 2020-05-27 16:01:17 -03:00
gsi.c RDMA/mlx5: Set lag tx affinity according to slave 2020-05-02 20:19:54 -03:00
ib_rep.c IB/mlx5: Rename profile and init methods 2019-11-11 12:15:29 -08:00
ib_rep.h RDMA/mlx5: Assign profile before calling stages 2020-05-06 17:52:01 -03:00
ib_virt.c net/mlx5: Update vport.c to new cmd interface 2020-04-23 21:42:02 +03:00
mad.c net/mlx5: Update vport.c to new cmd interface 2020-04-23 21:42:02 +03:00
main.c IB/mlx5: Fix 50G per lane indication 2020-07-08 20:15:58 -03:00
mem.c IB/mlx5: Generally use the WC auto detection test result 2020-03-24 20:22:21 -03:00
mlx5_ib.h RDMA/mlx5: Remove FMR leftovers 2020-06-02 20:32:53 -03:00
mr.c RDMA/mlx5: Fix NULL pointer dereference in destroy_prefetch_work 2020-05-21 20:51:50 -03:00
odp.c RDMA/mlx5: Update mlx5_ib to use new cmd interface 2020-05-06 17:42:45 -03:00
qos.c RDMA/core: Allow the ioctl layer to abort a fully created uobject 2020-05-21 20:10:46 -03:00
qp.c RDMA/mlx5: Set PD pointers for the error flow unwind 2020-07-08 20:15:59 -03:00
qp.h RDMA/mlx5: Set ECE options during modify QP 2020-05-27 16:07:49 -03:00
qpc.c RDMA/mlx5: Add missed RST2INIT and INIT2INIT steps during ECE handshake 2020-06-18 09:52:29 -03:00
restrack.c RDMA/nldev: Provide MR statistics 2019-10-22 15:33:31 -03:00
srq.c RDMA/mlx5: Fix udata response upon SRQ creation 2020-04-14 15:56:34 -03:00
srq.h RDMA: Handle SRQ allocations by IB/core 2019-04-08 13:05:25 -03:00
srq_cmd.c RDMA/mlx5: Fix query_srq_cmd() function 2020-05-13 16:01:50 -03:00
wr.c RDMA/mlx5: Move all WR logic from qp.c to separate file 2020-05-06 17:42:45 -03:00
wr.h RDMA/mlx5: Move all WR logic from qp.c to separate file 2020-05-06 17:42:45 -03:00