| Message ID | 20180615152233.27130-1-bharat@chelsio.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Jun 15, 2018 at 08:52:33PM +0530, Potnuri Bharat Teja wrote: > Few kernel applications like SCST-iSER create CQ using ib_create_cq(), where > accessing CQ structures using rdma restrack tool leads to below NULL pointer > dereference. This patch saves caller kernel module name similar to > ib_alloc_cq(). > > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [<ffffffff8132ca70>] skip_spaces+0x30/0x30 > PGD 738bac067 PUD 8533f0067 PMD 0 > Oops: 0000 [#1] SMP > R10: ffff88017fc03300 R11: 0000000000000246 R12: 0000000000000000 > R13: ffff88082fa5a668 R14: ffff88017475a000 R15: 0000000000000000 > FS: 00002b32726582c0(0000) GS:ffff88087fc40000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 00000008491a1000 CR4: 00000000003607e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > [<ffffffffc05af69c>] ? fill_res_name_pid+0x7c/0x90 [ib_core] > [<ffffffffc05af79f>] fill_res_cq_entry+0xef/0x170 [ib_core] > [<ffffffffc05af4c4>] res_get_common_dumpit+0x3c4/0x480 [ib_core] > [<ffffffffc05af5d3>] nldev_res_get_cq_dumpit+0x13/0x20 [ib_core] > [<ffffffff815bc1e7>] netlink_dump+0x117/0x2e0 > [<ffffffff815bcb8b>] __netlink_dump_start+0x1ab/0x230 > [<ffffffffc059fead>] ibnl_rcv_msg+0x11d/0x1f0 [ib_core] > [<ffffffffc05af5c0>] ? nldev_res_get_mr_dumpit+0x20/0x20 [ib_core] > [<ffffffffc059fd90>] ? rdma_nl_multicast+0x30/0x30 [ib_core] > [<ffffffff815bea49>] netlink_rcv_skb+0xa9/0xc0 > [<ffffffffc05a0018>] ibnl_rcv+0x98/0xb0 [ib_core] > [<ffffffff815be132>] netlink_unicast+0xf2/0x1b0 > [<ffffffff815be50f>] netlink_sendmsg+0x31f/0x6a0 > [<ffffffff8156b580>] sock_sendmsg+0xb0/0xf0 > [<ffffffff816ace9e>] ? _raw_spin_unlock_bh+0x1e/0x20 > [<ffffffff8156f998>] ? release_sock+0x118/0x170 > [<ffffffff8156b731>] SYSC_sendto+0x121/0x1c0 > [<ffffffff81568340>] ? sock_alloc_file+0xa0/0x140 > [<ffffffff81221265>] ? __fd_install+0x25/0x60 > [<ffffffff8156c2ce>] SyS_sendto+0xe/0x10 > [<ffffffff816b6c2a>] system_call_fastpath+0x16/0x1b > RIP [<ffffffff8132ca70>] skip_spaces+0x30/0x30 > RSP <ffff88072be97760> > CR2: 0000000000000000 > > Fixes: f66c8ba4c9fa ("RDMA/core: Save kernel caller name when creating PD and CQ objects") > Reviewed-by: Steve Wise <swise@opengridcomputing.com> > Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com> > --- > drivers/infiniband/core/verbs.c | 14 ++++++++------ > include/rdma/ib_verbs.h | 13 ++++++++----- > 2 files changed, 16 insertions(+), 11 deletions(-) > Thanks a lot, Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
On Fri, Jun 15, 2018 at 08:52:33PM +0530, Bharat Potnuri wrote: > Few kernel applications like SCST-iSER create CQ using ib_create_cq(), where > accessing CQ structures using rdma restrack tool leads to below NULL pointer > dereference. This patch saves caller kernel module name similar to > ib_alloc_cq(). > > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [<ffffffff8132ca70>] skip_spaces+0x30/0x30 > PGD 738bac067 PUD 8533f0067 PMD 0 > Oops: 0000 [#1] SMP > R10: ffff88017fc03300 R11: 0000000000000246 R12: 0000000000000000 > R13: ffff88082fa5a668 R14: ffff88017475a000 R15: 0000000000000000 > FS: 00002b32726582c0(0000) GS:ffff88087fc40000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 00000008491a1000 CR4: 00000000003607e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > [<ffffffffc05af69c>] ? fill_res_name_pid+0x7c/0x90 [ib_core] > [<ffffffffc05af79f>] fill_res_cq_entry+0xef/0x170 [ib_core] > [<ffffffffc05af4c4>] res_get_common_dumpit+0x3c4/0x480 [ib_core] > [<ffffffffc05af5d3>] nldev_res_get_cq_dumpit+0x13/0x20 [ib_core] > [<ffffffff815bc1e7>] netlink_dump+0x117/0x2e0 > [<ffffffff815bcb8b>] __netlink_dump_start+0x1ab/0x230 > [<ffffffffc059fead>] ibnl_rcv_msg+0x11d/0x1f0 [ib_core] > [<ffffffffc05af5c0>] ? nldev_res_get_mr_dumpit+0x20/0x20 [ib_core] > [<ffffffffc059fd90>] ? rdma_nl_multicast+0x30/0x30 [ib_core] > [<ffffffff815bea49>] netlink_rcv_skb+0xa9/0xc0 > [<ffffffffc05a0018>] ibnl_rcv+0x98/0xb0 [ib_core] > [<ffffffff815be132>] netlink_unicast+0xf2/0x1b0 > [<ffffffff815be50f>] netlink_sendmsg+0x31f/0x6a0 > [<ffffffff8156b580>] sock_sendmsg+0xb0/0xf0 > [<ffffffff816ace9e>] ? _raw_spin_unlock_bh+0x1e/0x20 > [<ffffffff8156f998>] ? release_sock+0x118/0x170 > [<ffffffff8156b731>] SYSC_sendto+0x121/0x1c0 > [<ffffffff81568340>] ? sock_alloc_file+0xa0/0x140 > [<ffffffff81221265>] ? __fd_install+0x25/0x60 > [<ffffffff8156c2ce>] SyS_sendto+0xe/0x10 > [<ffffffff816b6c2a>] system_call_fastpath+0x16/0x1b > RIP [<ffffffff8132ca70>] skip_spaces+0x30/0x30 > RSP <ffff88072be97760> > CR2: 0000000000000000 > > Fixes: f66c8ba4c9fa ("RDMA/core: Save kernel caller name when creating PD and CQ objects") > Reviewed-by: Steve Wise <swise@opengridcomputing.com> > Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com> > Reviewed-by: Leon Romanovsky <leonro@mellanox.com> > --- > drivers/infiniband/core/verbs.c | 14 ++++++++------ > include/rdma/ib_verbs.h | 13 ++++++++----- > 2 files changed, 16 insertions(+), 11 deletions(-) Applied to for-rc, thanks Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c index 0b56828c1319..9d6beb948535 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -1562,11 +1562,12 @@ EXPORT_SYMBOL(ib_destroy_qp); /* Completion queues */ -struct ib_cq *ib_create_cq(struct ib_device *device, - ib_comp_handler comp_handler, - void (*event_handler)(struct ib_event *, void *), - void *cq_context, - const struct ib_cq_init_attr *cq_attr) +struct ib_cq *__ib_create_cq(struct ib_device *device, + ib_comp_handler comp_handler, + void (*event_handler)(struct ib_event *, void *), + void *cq_context, + const struct ib_cq_init_attr *cq_attr, + const char *caller) { struct ib_cq *cq; @@ -1580,12 +1581,13 @@ struct ib_cq *ib_create_cq(struct ib_device *device, cq->cq_context = cq_context; atomic_set(&cq->usecnt, 0); cq->res.type = RDMA_RESTRACK_CQ; + cq->res.kern_name = caller; rdma_restrack_add(&cq->res); } return cq; } -EXPORT_SYMBOL(ib_create_cq); +EXPORT_SYMBOL(__ib_create_cq); int rdma_set_cq_moderation(struct ib_cq *cq, u16 cq_count, u16 cq_period) { diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index 4c6241bc2039..6c003995347a 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -3391,11 +3391,14 @@ int ib_process_cq_direct(struct ib_cq *cq, int budget); * * Users can examine the cq structure to determine the actual CQ size. */ -struct ib_cq *ib_create_cq(struct ib_device *device, - ib_comp_handler comp_handler, - void (*event_handler)(struct ib_event *, void *), - void *cq_context, - const struct ib_cq_init_attr *cq_attr); +struct ib_cq *__ib_create_cq(struct ib_device *device, + ib_comp_handler comp_handler, + void (*event_handler)(struct ib_event *, void *), + void *cq_context, + const struct ib_cq_init_attr *cq_attr, + const char *caller); +#define ib_create_cq(device, cmp_hndlr, evt_hndlr, cq_ctxt, cq_attr) \ + __ib_create_cq((device), (cmp_hndlr), (evt_hndlr), (cq_ctxt), (cq_attr), KBUILD_MODNAME) /** * ib_resize_cq - Modifies the capacity of the CQ.
Few kernel applications like SCST-iSER create CQ using ib_create_cq(), where accessing CQ structures using rdma restrack tool leads to below NULL pointer dereference. This patch saves caller kernel module name similar to ib_alloc_cq(). BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8132ca70>] skip_spaces+0x30/0x30 PGD 738bac067 PUD 8533f0067 PMD 0 Oops: 0000 [#1] SMP R10: ffff88017fc03300 R11: 0000000000000246 R12: 0000000000000000 R13: ffff88082fa5a668 R14: ffff88017475a000 R15: 0000000000000000 FS: 00002b32726582c0(0000) GS:ffff88087fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000008491a1000 CR4: 00000000003607e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [<ffffffffc05af69c>] ? fill_res_name_pid+0x7c/0x90 [ib_core] [<ffffffffc05af79f>] fill_res_cq_entry+0xef/0x170 [ib_core] [<ffffffffc05af4c4>] res_get_common_dumpit+0x3c4/0x480 [ib_core] [<ffffffffc05af5d3>] nldev_res_get_cq_dumpit+0x13/0x20 [ib_core] [<ffffffff815bc1e7>] netlink_dump+0x117/0x2e0 [<ffffffff815bcb8b>] __netlink_dump_start+0x1ab/0x230 [<ffffffffc059fead>] ibnl_rcv_msg+0x11d/0x1f0 [ib_core] [<ffffffffc05af5c0>] ? nldev_res_get_mr_dumpit+0x20/0x20 [ib_core] [<ffffffffc059fd90>] ? rdma_nl_multicast+0x30/0x30 [ib_core] [<ffffffff815bea49>] netlink_rcv_skb+0xa9/0xc0 [<ffffffffc05a0018>] ibnl_rcv+0x98/0xb0 [ib_core] [<ffffffff815be132>] netlink_unicast+0xf2/0x1b0 [<ffffffff815be50f>] netlink_sendmsg+0x31f/0x6a0 [<ffffffff8156b580>] sock_sendmsg+0xb0/0xf0 [<ffffffff816ace9e>] ? _raw_spin_unlock_bh+0x1e/0x20 [<ffffffff8156f998>] ? release_sock+0x118/0x170 [<ffffffff8156b731>] SYSC_sendto+0x121/0x1c0 [<ffffffff81568340>] ? sock_alloc_file+0xa0/0x140 [<ffffffff81221265>] ? __fd_install+0x25/0x60 [<ffffffff8156c2ce>] SyS_sendto+0xe/0x10 [<ffffffff816b6c2a>] system_call_fastpath+0x16/0x1b RIP [<ffffffff8132ca70>] skip_spaces+0x30/0x30 RSP <ffff88072be97760> CR2: 0000000000000000 Fixes: f66c8ba4c9fa ("RDMA/core: Save kernel caller name when creating PD and CQ objects") Reviewed-by: Steve Wise <swise@opengridcomputing.com> Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com> --- drivers/infiniband/core/verbs.c | 14 ++++++++------ include/rdma/ib_verbs.h | 13 ++++++++----- 2 files changed, 16 insertions(+), 11 deletions(-)