| Message ID | 20230908060559.80203-1-chengyou@linux.alibaba.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [for-rc] RDMA/erdma: Fix NULL pointer access in regmr_cmd | expand |
On Fri, 08 Sep 2023 14:05:59 +0800, Cheng Xu wrote: > Fix the crash of regmr_cmd called by erdma_ib_alloc_mr. The reason is > that mr->mem.mtt is not initialized but it is accessed in regmr_cmd. > > The call trace information: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > <...> > RIP: 0010:regmr_cmd+0x170/0x1c0 [erdma] > <...> > Call Trace: > ? __die+0x20/0x70 > ? page_fault_oops+0x66/0x150 > ? do_user_addr_fault+0x61/0x660 > ? exc_page_fault+0x65/0x140 > ? asm_exc_page_fault+0x22/0x30 > ? regmr_cmd+0x170/0x1c0 [erdma] > ? preempt_count_add+0x70/0xa0 > ? _raw_spin_lock_irqsave+0x19/0x50 > ? _raw_spin_unlock_irqrestore+0x1b/0x40 > ? erdma_alloc_idx+0x51/0x90 [erdma] > erdma_get_dma_mr+0xa3/0x120 [erdma] > __ib_alloc_pd+0xeb/0x1c0 [ib_core] > > [...] Applied, thanks! [1/1] RDMA/erdma: Fix NULL pointer access in regmr_cmd https://git.kernel.org/rdma/rdma/c/b2abdffb505f7e Best regards,
diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c index dcccb6015232..a7c2cbbbd9b9 100644 --- a/drivers/infiniband/hw/erdma/erdma_verbs.c +++ b/drivers/infiniband/hw/erdma/erdma_verbs.c @@ -133,8 +133,8 @@ static int create_qp_cmd(struct erdma_ucontext *uctx, struct erdma_qp *qp) static int regmr_cmd(struct erdma_dev *dev, struct erdma_mr *mr) { struct erdma_pd *pd = to_epd(mr->ibmr.pd); + u32 mtt_level = ERDMA_MR_MTT_0LEVEL; struct erdma_cmdq_reg_mr_req req; - u32 mtt_level; erdma_cmdq_build_reqhdr(&req.hdr, CMDQ_SUBMOD_RDMA, CMDQ_OPCODE_REG_MR); @@ -147,10 +147,9 @@ static int regmr_cmd(struct erdma_dev *dev, struct erdma_mr *mr) req.phy_addr[0] = sg_dma_address(mr->mem.mtt->sglist); mtt_level = mr->mem.mtt->level; } - } else { + } else if (mr->type != ERDMA_MR_TYPE_DMA) { memcpy(req.phy_addr, mr->mem.mtt->buf, MTT_SIZE(mr->mem.page_cnt)); - mtt_level = ERDMA_MR_MTT_0LEVEL; } req.cfg0 = FIELD_PREP(ERDMA_CMD_MR_VALID_MASK, mr->valid) |
Fix the crash of regmr_cmd called by erdma_ib_alloc_mr. The reason is that mr->mem.mtt is not initialized but it is accessed in regmr_cmd. The call trace information: BUG: kernel NULL pointer dereference, address: 0000000000000000 <...> RIP: 0010:regmr_cmd+0x170/0x1c0 [erdma] <...> Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x66/0x150 ? do_user_addr_fault+0x61/0x660 ? exc_page_fault+0x65/0x140 ? asm_exc_page_fault+0x22/0x30 ? regmr_cmd+0x170/0x1c0 [erdma] ? preempt_count_add+0x70/0xa0 ? _raw_spin_lock_irqsave+0x19/0x50 ? _raw_spin_unlock_irqrestore+0x1b/0x40 ? erdma_alloc_idx+0x51/0x90 [erdma] erdma_get_dma_mr+0xa3/0x120 [erdma] __ib_alloc_pd+0xeb/0x1c0 [ib_core] Fixes: 7244b4aa4221 ("RDMA/erdma: Refactor the storage structure of MTT entries") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/3d140c1d-524a-4dbe-a51c-aee4f7ecafdb@moroto.mountain/ Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com> --- drivers/infiniband/hw/erdma/erdma_verbs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)