| Message ID | 20221202145713.13152-1-lizhijian@fujitsu.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | RDMA/rxe: fix possible NULL MR dereference | expand |
NOTE: This is for-rc on 12/2/2022 10:57 PM, Li Zhijian wrote: > Daisuke mentioned that: > If responder get a zero-byte RDMA Read request, qp->resp.mr > is not set in check_rkey(). The mr is NULL in this case, and a NULL pointer > dereference occurs as shown below. > > BUG: kernel NULL pointer dereference, address: 0000000000000010 > #PF: supervisor write access in kernel mode > #PF: error_code(0x0002) - not-present page > PGD 0 P4D 0 > Oops: 0002 [#1] PREEMPT SMP PTI > CPU: 2 PID: 3622 Comm: python3 Kdump: loaded Not tainted 6.1.0-rc3+ #34 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > RIP: 0010:__rxe_put+0xc/0x60 [rdma_rxe] > Code: cc cc cc 31 f6 e8 64 36 1b d3 41 b8 01 00 00 00 44 89 c0 c3 cc cc cc cc 41 89 c0 eb c1 90 0f 1f 44 00 00 41 54 b8 ff ff ff ff <f0> 0f c1 47 10 83 f8 01 74 11 45 31 e4 85 c0 7e 20 44 89 e0 41 5c > RSP: 0018:ffffb27bc012ce78 EFLAGS: 00010246 > RAX: 00000000ffffffff RBX: ffff9790857b0580 RCX: 0000000000000000 > RDX: ffff979080fe145a RSI: 000055560e3e0000 RDI: 0000000000000000 > RBP: ffff97909c7dd800 R08: 0000000000000001 R09: e7ce43d97f7bed0f > R10: ffff97908b29c300 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: ffff97908b29c300 R15: 0000000000000000 > FS: 00007f276f7bd740(0000) GS:ffff9792b5c80000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000010 CR3: 0000000114230002 CR4: 0000000000060ee0 > Call Trace: > <IRQ> > read_reply+0xda/0x310 [rdma_rxe] > rxe_responder+0x82d/0xe50 [rdma_rxe] > do_task+0x84/0x170 [rdma_rxe] > tasklet_action_common.constprop.0+0xa7/0x120 > __do_softirq+0xcb/0x2ac > do_softirq+0x63/0x90 > </IRQ> > > Test mr before dereference it to avoid this problem. > > Fixes: b5f9a01fae42 ("RDMA/rxe: Fix mr leak in RESPST_ERR_RNR") > Reported-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com> > Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> > --- > Hope we can catch up with 6.1 > --- > drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c > index 693081e813ec..bbb9665c64ad 100644 > --- a/drivers/infiniband/sw/rxe/rxe_resp.c > +++ b/drivers/infiniband/sw/rxe/rxe_resp.c > @@ -807,7 +807,8 @@ static enum resp_states read_reply(struct rxe_qp *qp, > skb = prepare_ack_packet(qp, &ack_pkt, opcode, payload, > res->cur_psn, AETH_ACK_UNLIMITED); > if (!skb) { > - rxe_put(mr); > + if (mr) > + rxe_put(mr); > return RESPST_ERR_RNR; > } >
diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c index 693081e813ec..bbb9665c64ad 100644 --- a/drivers/infiniband/sw/rxe/rxe_resp.c +++ b/drivers/infiniband/sw/rxe/rxe_resp.c @@ -807,7 +807,8 @@ static enum resp_states read_reply(struct rxe_qp *qp, skb = prepare_ack_packet(qp, &ack_pkt, opcode, payload, res->cur_psn, AETH_ACK_UNLIMITED); if (!skb) { - rxe_put(mr); + if (mr) + rxe_put(mr); return RESPST_ERR_RNR; }
Daisuke mentioned that: If responder get a zero-byte RDMA Read request, qp->resp.mr is not set in check_rkey(). The mr is NULL in this case, and a NULL pointer dereference occurs as shown below. BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 3622 Comm: python3 Kdump: loaded Not tainted 6.1.0-rc3+ #34 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:__rxe_put+0xc/0x60 [rdma_rxe] Code: cc cc cc 31 f6 e8 64 36 1b d3 41 b8 01 00 00 00 44 89 c0 c3 cc cc cc cc 41 89 c0 eb c1 90 0f 1f 44 00 00 41 54 b8 ff ff ff ff <f0> 0f c1 47 10 83 f8 01 74 11 45 31 e4 85 c0 7e 20 44 89 e0 41 5c RSP: 0018:ffffb27bc012ce78 EFLAGS: 00010246 RAX: 00000000ffffffff RBX: ffff9790857b0580 RCX: 0000000000000000 RDX: ffff979080fe145a RSI: 000055560e3e0000 RDI: 0000000000000000 RBP: ffff97909c7dd800 R08: 0000000000000001 R09: e7ce43d97f7bed0f R10: ffff97908b29c300 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff97908b29c300 R15: 0000000000000000 FS: 00007f276f7bd740(0000) GS:ffff9792b5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000114230002 CR4: 0000000000060ee0 Call Trace: <IRQ> read_reply+0xda/0x310 [rdma_rxe] rxe_responder+0x82d/0xe50 [rdma_rxe] do_task+0x84/0x170 [rdma_rxe] tasklet_action_common.constprop.0+0xa7/0x120 __do_softirq+0xcb/0x2ac do_softirq+0x63/0x90 </IRQ> Test mr before dereference it to avoid this problem. Fixes: b5f9a01fae42 ("RDMA/rxe: Fix mr leak in RESPST_ERR_RNR") Reported-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com> Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> --- Hope we can catch up with 6.1 --- drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)