| Message ID | 1478033052-147252-1-git-send-email-foraker1@llnl.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Tue, 2016-11-01 at 13:44 -0700, Jim Foraker wrote: > rvt_create_qp() creates qp->ip only when a qp creation request comes > from > userspace (udata is not NULL). If we exceed the number of available > queue pairs however, the error path always attempts to put a kref to > this > structure. If the requestor is inside the kernel, this leads to a requestor -> requester > crash. > > We fix this by checking that qp->ip is not NULL before caling caling -> calling > kref_put(). > > Signed-off-by: Jim Foraker <foraker1@llnl.gov> Thanks Jim! Cc: Stable <stable@vger.kernel.org> # 4.7+ Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
On Tue, Nov 01, 2016 at 01:44:12PM -0700, Jim Foraker wrote: > rvt_create_qp() creates qp->ip only when a qp creation request comes from > userspace (udata is not NULL). If we exceed the number of available > queue pairs however, the error path always attempts to put a kref to this > structure. If the requestor is inside the kernel, this leads to a crash. It will be great to have a crash report if you have one. > > We fix this by checking that qp->ip is not NULL before caling kref_put(). > Please add Fixes line which refers to the commit you are fixing. It will ensure automatic pickup to various stable trees. Thanks > Signed-off-by: Jim Foraker <foraker1@llnl.gov> > --- > drivers/infiniband/sw/rdmavt/qp.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c > index 6500c3b..0004e8b 100644 > --- a/drivers/infiniband/sw/rdmavt/qp.c > +++ b/drivers/infiniband/sw/rdmavt/qp.c > @@ -884,7 +884,8 @@ struct ib_qp *rvt_create_qp(struct ib_pd *ibpd, > return ret; > > bail_ip: > - kref_put(&qp->ip->ref, rvt_release_mmap_info); > + if (qp->ip) > + kref_put(&qp->ip->ref, rvt_release_mmap_info); > > bail_qpn: > free_qpn(&rdi->qp_dev->qpn_table, qp->ibqp.qp_num); > -- > 1.7.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On 11/01/2016 04:44 PM, Jim Foraker wrote: > rvt_create_qp() creates qp->ip only when a qp creation request comes from > userspace (udata is not NULL). If we exceed the number of available > queue pairs however, the error path always attempts to put a kref to this > structure. If the requestor is inside the kernel, this leads to a crash. > > We fix this by checking that qp->ip is not NULL before caling kref_put(). > Fixes: 515667f8f8b4 ("IB/rdmavt: Add create queue pair functionality") > Signed-off-by: Jim Foraker <foraker1@llnl.gov> Acked-by: Jonathan Toppins <jtoppins@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Doug, Would you please consider to pull this patch in? It would be nice to have that fix in 4.9, if possible. Thanks. Acked-by: Alex Estrin <alex.estrin@intel.com> > > On 11/01/2016 04:44 PM, Jim Foraker wrote: > > rvt_create_qp() creates qp->ip only when a qp creation request comes from > > userspace (udata is not NULL). If we exceed the number of available > > queue pairs however, the error path always attempts to put a kref to this > > structure. If the requestor is inside the kernel, this leads to a crash. > > > > We fix this by checking that qp->ip is not NULL before caling kref_put(). > > > > Fixes: 515667f8f8b4 ("IB/rdmavt: Add create queue pair functionality") > > > Signed-off-by: Jim Foraker <foraker1@llnl.gov> > > Acked-by: Jonathan Toppins <jtoppins@redhat.com> > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 11/1/2016 4:44 PM, Jim Foraker wrote: > rvt_create_qp() creates qp->ip only when a qp creation request comes from > userspace (udata is not NULL). If we exceed the number of available > queue pairs however, the error path always attempts to put a kref to this > structure. If the requestor is inside the kernel, this leads to a crash. > > We fix this by checking that qp->ip is not NULL before caling kref_put(). > > Signed-off-by: Jim Foraker <foraker1@llnl.gov> Thanks, applied.
diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index 6500c3b..0004e8b 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -884,7 +884,8 @@ struct ib_qp *rvt_create_qp(struct ib_pd *ibpd, return ret; bail_ip: - kref_put(&qp->ip->ref, rvt_release_mmap_info); + if (qp->ip) + kref_put(&qp->ip->ref, rvt_release_mmap_info); bail_qpn: free_qpn(&rdi->qp_dev->qpn_table, qp->ibqp.qp_num);
rvt_create_qp() creates qp->ip only when a qp creation request comes from userspace (udata is not NULL). If we exceed the number of available queue pairs however, the error path always attempts to put a kref to this structure. If the requestor is inside the kernel, this leads to a crash. We fix this by checking that qp->ip is not NULL before caling kref_put(). Signed-off-by: Jim Foraker <foraker1@llnl.gov> --- drivers/infiniband/sw/rdmavt/qp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)