| Message ID | 20210201112922.141085-1-kamalheib1@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [for-rc] RDMA/siw: Fix calculation of tx_valid_cpus size | expand |
-----"Kamal Heib" <kamalheib1@gmail.com> wrote: ----- >To: linux-rdma@vger.kernel.org >From: "Kamal Heib" <kamalheib1@gmail.com> >Date: 02/01/2021 12:30PM >Cc: "Bernard Metzler" <bmt@zurich.ibm.com>, "Doug Ledford" ><dledford@redhat.com>, "Jason Gunthorpe" <jgg@ziepe.ca>, "Kamal Heib" ><kamalheib1@gmail.com> >Subject: [EXTERNAL] [PATCH for-rc] RDMA/siw: Fix calculation of >tx_valid_cpus size > >The size of tx_valid_cpus was calculated under the assumption that >the >numa nodes identifiers are continuous, which is not the case in all >archs as this could lead to the following panic when trying to access >an >invalid tx_valid_cpus index, avoid the following panic by using >nr_node_ids instead of num_online_nodes() to allocate the >tx_valid_cpus >size. > Uuups! Thanks for fixing this. nr_node_ids is indeed the right resource here, since it's set reflecting the highest bit + 1 from node_possible_map.bits. Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com> >Kernel attempted to read user page (8) - exploit attempt? (uid: 0) >BUG: Kernel NULL pointer dereference on read at 0x00000008 >Faulting instruction address: 0xc0080000081b4a90 >Oops: Kernel access of bad area, sig: 11 [#1] >LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV >Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod >ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp >scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm >iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas >ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c >ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram >ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit >drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt >fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid >drm_panel_orientation_quirks dm_mod >CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- >--- 5.11.0-0.rc4.129.eln108.ppc64le #2 >NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 >REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X >--------- --- (5.11.0-0.rc4.129.eln108.ppc64le) >MSR: 9000000002009033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 44224882 >XER: 00000000 >CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: >0 >GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 >0000000000000040 >GPR04: c000000002023080 c000000012e1c300 000020072ad70000 >0000000000000001 >GPR08: c000000001726068 0000000000000008 0000000000000008 >c0080000081b5758 >GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 >0000000000000000 >GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 >00007fffcc09c5c8 >GPR20: 0000000000000008 0000000000000000 00000001590b2850 >00000001590b1d30 >GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 >0000000000100000 >GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 >c0080000081bf608 >NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] >LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] >Call Trace: >[c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 >[siw] (unreliable) >[c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 >[siw] >[c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 >[c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 >[c000000027fa7c90] [c00000000026a180] >__do_sys_init_module+0x210/0x250 >[c000000027fa7db0] [c0000000000387e4] >system_call_exception+0x134/0x230 >[c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c >Instruction dump: >40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 >7cc4302a >7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad >40c2fff4 >---[ end trace 813d4c362755dcfc ]--- > >Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") >Signed-off-by: Kamal Heib <kamalheib1@gmail.com> >--- > drivers/infiniband/sw/siw/siw_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/infiniband/sw/siw/siw_main.c >b/drivers/infiniband/sw/siw/siw_main.c >index ee95cf29179d..41c46dfaebf6 100644 >--- a/drivers/infiniband/sw/siw/siw_main.c >+++ b/drivers/infiniband/sw/siw/siw_main.c >@@ -135,7 +135,7 @@ static struct { > > static int siw_init_cpulist(void) > { >- int i, num_nodes = num_possible_nodes(); >+ int i, num_nodes = nr_node_ids; > > memset(siw_tx_thread, 0, sizeof(siw_tx_thread)); > >-- >2.26.2 > >
On 2/1/21 9:26 PM, Bernard Metzler wrote: > -----"Kamal Heib" <kamalheib1@gmail.com> wrote: ----- > >> To: linux-rdma@vger.kernel.org >> From: "Kamal Heib" <kamalheib1@gmail.com> >> Date: 02/01/2021 12:30PM >> Cc: "Bernard Metzler" <bmt@zurich.ibm.com>, "Doug Ledford" >> <dledford@redhat.com>, "Jason Gunthorpe" <jgg@ziepe.ca>, "Kamal Heib" >> <kamalheib1@gmail.com> >> Subject: [EXTERNAL] [PATCH for-rc] RDMA/siw: Fix calculation of >> tx_valid_cpus size >> >> The size of tx_valid_cpus was calculated under the assumption that >> the >> numa nodes identifiers are continuous, which is not the case in all >> archs as this could lead to the following panic when trying to access >> an >> invalid tx_valid_cpus index, avoid the following panic by using >> nr_node_ids instead of num_online_nodes() to allocate the >> tx_valid_cpus >> size. >> > Uuups! Thanks for fixing this. nr_node_ids is indeed the right > resource here, since it's set reflecting the highest bit + 1 > from node_possible_map.bits. > > Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com> Thanks Kamal, just verified this patch on my power server, feel free to add Tested-by: Yi Zhang <yi.zhang@redhat.com> > >> Kernel attempted to read user page (8) - exploit attempt? (uid: 0) >> BUG: Kernel NULL pointer dereference on read at 0x00000008 >> Faulting instruction address: 0xc0080000081b4a90 >> Oops: Kernel access of bad area, sig: 11 [#1] >> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV >> Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod >> ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp >> scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm >> iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas >> ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c >> ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram >> ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit >> drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt >> fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid >> drm_panel_orientation_quirks dm_mod >> CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- >> --- 5.11.0-0.rc4.129.eln108.ppc64le #2 >> NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 >> REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X >> --------- --- (5.11.0-0.rc4.129.eln108.ppc64le) >> MSR: 9000000002009033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 44224882 >> XER: 00000000 >> CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: >> 0 >> GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 >> 0000000000000040 >> GPR04: c000000002023080 c000000012e1c300 000020072ad70000 >> 0000000000000001 >> GPR08: c000000001726068 0000000000000008 0000000000000008 >> c0080000081b5758 >> GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 >> 0000000000000000 >> GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 >> 00007fffcc09c5c8 >> GPR20: 0000000000000008 0000000000000000 00000001590b2850 >> 00000001590b1d30 >> GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 >> 0000000000100000 >> GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 >> c0080000081bf608 >> NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] >> LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] >> Call Trace: >> [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 >> [siw] (unreliable) >> [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 >> [siw] >> [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 >> [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 >> [c000000027fa7c90] [c00000000026a180] >> __do_sys_init_module+0x210/0x250 >> [c000000027fa7db0] [c0000000000387e4] >> system_call_exception+0x134/0x230 >> [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c >> Instruction dump: >> 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 >> 7cc4302a >> 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad >> 40c2fff4 >> ---[ end trace 813d4c362755dcfc ]--- >> >> Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") >> Signed-off-by: Kamal Heib <kamalheib1@gmail.com> >> --- >> drivers/infiniband/sw/siw/siw_main.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/infiniband/sw/siw/siw_main.c >> b/drivers/infiniband/sw/siw/siw_main.c >> index ee95cf29179d..41c46dfaebf6 100644 >> --- a/drivers/infiniband/sw/siw/siw_main.c >> +++ b/drivers/infiniband/sw/siw/siw_main.c >> @@ -135,7 +135,7 @@ static struct { >> >> static int siw_init_cpulist(void) >> { >> - int i, num_nodes = num_possible_nodes(); >> + int i, num_nodes = nr_node_ids; >> >> memset(siw_tx_thread, 0, sizeof(siw_tx_thread)); >> >> -- >> 2.26.2 >> >>
On Mon, Feb 01, 2021 at 01:29:22PM +0200, Kamal Heib wrote: > The size of tx_valid_cpus was calculated under the assumption that the > numa nodes identifiers are continuous, which is not the case in all > archs as this could lead to the following panic when trying to access an > invalid tx_valid_cpus index, avoid the following panic by using > nr_node_ids instead of num_online_nodes() to allocate the tx_valid_cpus > size. > > Kernel attempted to read user page (8) - exploit attempt? (uid: 0) > BUG: Kernel NULL pointer dereference on read at 0x00000008 > Faulting instruction address: 0xc0080000081b4a90 > Oops: Kernel access of bad area, sig: 11 [#1] > LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid drm_panel_orientation_quirks dm_mod > CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- --- 5.11.0-0.rc4.129.eln108.ppc64le #2 > NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 > REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X --------- --- (5.11.0-0.rc4.129.eln108.ppc64le) > MSR: 9000000002009033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 44224882 XER: 00000000 > CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: 0 > GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 0000000000000040 > GPR04: c000000002023080 c000000012e1c300 000020072ad70000 0000000000000001 > GPR08: c000000001726068 0000000000000008 0000000000000008 c0080000081b5758 > GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 0000000000000000 > GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 00007fffcc09c5c8 > GPR20: 0000000000000008 0000000000000000 00000001590b2850 00000001590b1d30 > GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 0000000000100000 > GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 c0080000081bf608 > NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] > LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] > Call Trace: > [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] (unreliable) > [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 [siw] > [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 > [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 > [c000000027fa7c90] [c00000000026a180] __do_sys_init_module+0x210/0x250 > [c000000027fa7db0] [c0000000000387e4] system_call_exception+0x134/0x230 > [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c > Instruction dump: > 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 7cc4302a > 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad 40c2fff4 > ---[ end trace 813d4c362755dcfc ]--- > > Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") > Signed-off-by: Kamal Heib <kamalheib1@gmail.com> > Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com> > Tested-by: Yi Zhang <yi.zhang@redhat.com> > --- > drivers/infiniband/sw/siw/siw_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied to for-next, I think we are done for the -rcs now Thanks Jason
diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c index ee95cf29179d..41c46dfaebf6 100644 --- a/drivers/infiniband/sw/siw/siw_main.c +++ b/drivers/infiniband/sw/siw/siw_main.c @@ -135,7 +135,7 @@ static struct { static int siw_init_cpulist(void) { - int i, num_nodes = num_possible_nodes(); + int i, num_nodes = nr_node_ids; memset(siw_tx_thread, 0, sizeof(siw_tx_thread));
The size of tx_valid_cpus was calculated under the assumption that the numa nodes identifiers are continuous, which is not the case in all archs as this could lead to the following panic when trying to access an invalid tx_valid_cpus index, avoid the following panic by using nr_node_ids instead of num_online_nodes() to allocate the tx_valid_cpus size. Kernel attempted to read user page (8) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000008 Faulting instruction address: 0xc0080000081b4a90 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid drm_panel_orientation_quirks dm_mod CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- --- 5.11.0-0.rc4.129.eln108.ppc64le #2 NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X --------- --- (5.11.0-0.rc4.129.eln108.ppc64le) MSR: 9000000002009033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 44224882 XER: 00000000 CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 0000000000000040 GPR04: c000000002023080 c000000012e1c300 000020072ad70000 0000000000000001 GPR08: c000000001726068 0000000000000008 0000000000000008 c0080000081b5758 GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 0000000000000000 GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 00007fffcc09c5c8 GPR20: 0000000000000008 0000000000000000 00000001590b2850 00000001590b1d30 GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 0000000000100000 GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 c0080000081bf608 NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] Call Trace: [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] (unreliable) [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 [siw] [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 [c000000027fa7c90] [c00000000026a180] __do_sys_init_module+0x210/0x250 [c000000027fa7db0] [c0000000000387e4] system_call_exception+0x134/0x230 [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c Instruction dump: 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 7cc4302a 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad 40c2fff4 ---[ end trace 813d4c362755dcfc ]--- Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") Signed-off-by: Kamal Heib <kamalheib1@gmail.com> --- drivers/infiniband/sw/siw/siw_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)