From patchwork Thu Feb 22 19:35:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Parav Pandit X-Patchwork-Id: 10236217 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2664860349 for ; Thu, 22 Feb 2018 19:35:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1445428CE0 for ; Thu, 22 Feb 2018 19:35:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 08FDA28CF7; Thu, 22 Feb 2018 19:35:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D15B28CE0 for ; Thu, 22 Feb 2018 19:35:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750967AbeBVTfn (ORCPT ); Thu, 22 Feb 2018 14:35:43 -0500 Received: from mail-eopbgr30072.outbound.protection.outlook.com ([40.107.3.72]:51072 "EHLO EUR03-AM5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750916AbeBVTfm (ORCPT ); Thu, 22 Feb 2018 14:35:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lUMjlLdjmp0VDG5K87JBiq4tHMWXgt3oJbU3TSCyYtw=; b=hrBaJ5GVYnPOg4gnzR/FNf/5Lyhfbv72G0U0Ir4MWegvElq0JvTqUmg/bKqfbHevvaAJAce+skpYLRGi8ZwdKv9Ym5w7FM4InJiBt6AAyDLtKVPpv2bSg3vzA65mdhYqWEkieKrEjd6RIU8a54AdWys5W00suA5KOw8Lzi+/UVU= Received: from VI1PR0502MB3008.eurprd05.prod.outlook.com (10.175.21.22) by VI1PR0502MB3743.eurprd05.prod.outlook.com (52.134.8.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Thu, 22 Feb 2018 19:35:39 +0000 Received: from VI1PR0502MB3008.eurprd05.prod.outlook.com ([fe80::d44e:2144:8a0d:d962]) by VI1PR0502MB3008.eurprd05.prod.outlook.com ([fe80::d44e:2144:8a0d:d962%13]) with mapi id 15.20.0506.023; Thu, 22 Feb 2018 19:35:39 +0000 From: Parav Pandit To: Muneendra Kumar M , "linux-rdma@vger.kernel.org" Subject: RE: [PATCH] Bug[RDMA/core]:Null pointer check is missing in addr_resolve Thread-Topic: [PATCH] Bug[RDMA/core]:Null pointer check is missing in addr_resolve Thread-Index: AdOq/M/bMvGYX/ZcRne3qugFMNOGPQBFctOg Date: Thu, 22 Feb 2018 19:35:39 +0000 Message-ID: References: <1d4edbe701fc77c5ecd3a939e32b2721@mail.gmail.com> In-Reply-To: <1d4edbe701fc77c5ecd3a939e32b2721@mail.gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=parav@mellanox.com; x-originating-ip: [208.176.44.194] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR0502MB3743; 6:P3O1DzpA/MRZYz8HEMi4l1g7oRA/7Qyj5AdnijT4duslaZHqa8jhVKV2mukfZ40hNGIW711BnmUZdPn28GmkbyCB4oHz4oUS+UhFY8mD02CmloE94msJCSaXe+sPsC3qDH7OPCzGs9/Y99hs3cQzIevRFywrk0Tz8y4eMW0AfWqGfNIDl86xuAu9D/F4kRJ5Dw6Rh8z6w+S3/bWlClGXvCjxdMS5CQQrxV3Y5k+1X52+d13vkmrwicAQAFHWFCtPlpE/pyftSB9Fd366pQTVH3257XKkWId48DVn88O31tnOVVInL1X+jRmLvah17oIOtQC3GTn1WvQhXBN9Yrhs1msXE6c1ChzrG1eOeEK4S68kf4i54aGk6N75E4ikUiHi; 5:fOtvRdSZFaXW1TGIFbNHgD+jWgjpbxhERZn+zGYgV35xUzcN2aa3u1Z/F4Z4TediK59pG1nOwYlveZOWhJtnYR5vejuyY7O/qGijh1cLaOwalAERnOuVBteJJKIQ49raf0BT4jG2+bHa4yCqqHoPKUdzHylG1eHikBfDxJJqldY=; 24:aJxxYYtLoZdZzvQAtkC9i3QFAAdKLewayR2ZF/4uLe0t6SG1LsCBMEUGTa5vegkD8M9KLbL1SRr/N43ohRHbEeqfbw/1rnOTsC9W6ZeDAeE=; 7:0w2GddBMTDRJxEGsk+VCUWXpgLPtsNCQLIDBdDfPbMjAkIsBh+zwveaA5LzavAS2VfKH/gXKXvfVv/a0AKYZuVuIRE8se+CbIvO4/UoYAZaSQtgSepwJehxEx2BKaHYHF3q5Gvh/yVQ0wPMnzoTh+ifkFfiRhWMPiSLWJ9buf0d55hBY5CoY1s5DyT4UK7mmsbSlMvG2LCQ20jSWTWQnAZLmz60m4ZGUrqPCyEMrOc4RL0D7KtXyH0rpVob04/cb x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 017a2c1f-76e6-4b1c-a3c1-08d57a2b7409 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:VI1PR0502MB3743; x-ms-traffictypediagnostic: VI1PR0502MB3743: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(9452136761055); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001082)(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231101)(944501161)(93006095)(93001095)(3002001)(6055026)(6041288)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:VI1PR0502MB3743; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0502MB3743; x-forefront-prvs: 059185FE08 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39380400002)(39860400002)(366004)(346002)(376002)(199004)(189003)(13464003)(51234002)(68736007)(8676002)(81166006)(478600001)(81156014)(8936002)(966005)(33656002)(2950100002)(6436002)(66066001)(229853002)(105586002)(86362001)(575784001)(6306002)(7696005)(14454004)(9686003)(55016002)(99286004)(53936002)(106356001)(26005)(3846002)(6116002)(110136005)(186003)(53546011)(6506007)(59450400001)(102836004)(97736004)(2906002)(2900100001)(316002)(2501003)(5250100002)(5660300001)(74316002)(6246003)(7736002)(3280700002)(305945005)(3660700001)(25786009)(76176011)(422495003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0502MB3743; H:VI1PR0502MB3008.eurprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: KJw8DnMLlLMkpXvmrEcaSzvUI0057TE4p1Ent8WpDXMIQeV/NyX14dCVAbBIgPRHcBT9uWfCu1uDZp1xNx5sZV3tVrN2lLQIJEYMOpBhEhCEk843meYpOOzFBvlnpw0x/kasdxhW+GSOMtsb4+JWbmEWIgvMIDNEryTgaGu3KE8= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-Network-Message-Id: 017a2c1f-76e6-4b1c-a3c1-08d57a2b7409 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2018 19:35:39.0514 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0502MB3743 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Hi Muneendra, > -----Original Message----- > From: linux-rdma-owner@vger.kernel.org [mailto:linux-rdma- > owner@vger.kernel.org] On Behalf Of Muneendra Kumar M > Sent: Wednesday, February 21, 2018 4:21 AM > To: linux-rdma@vger.kernel.org > Subject: [PATCH] Bug[RDMA/core]:Null pointer check is missing in addr_resolve > > Null pointer check is missing in addr_resolve as dev_get_by_index may return a > NULL pointer. > And this patch will check whether ndev is NULL and further access the same . > We observed the issue where the sytem crashed in the below code > > if (ndev->flags & IFF_LOOPBACK) > { > ret = rdma_translate_ip (dst_in, addr, NULL); > /* > * Put the loopback device and get the translated > * device instead. > */ > dev_put (ndev); > ndev = dev_get_by_index (addr->net, addr->bound_dev_if); Above ndev assignment is of no use. It just serves the purpose of keeping dev_put(). So a simpler patch would be possibly below. > /*Bug: dev_get_by_index returns null*/ } else > { > addr->bound_dev_if = ndev->ifindex; > } > > dev_put (ndev) <== system crashed > And below is the crash > > [ 146.173149] BUG: unable to handle kernel NULL pointer dereference at > 00000000000004a0 > [ 146.173198] IP: addr_resolve+0x9e/0x3e0 [ib_core] [ 146.173221] PGD 0 P4D > 0 [ 146.173869] Oops: 0000 [#1] SMP PTI > [ 146.182859] CPU: 8 PID: 127 Comm: kworker/8:1 Tainted: G O > 4.15.0-rc6+ #18 > [ 146.183758] Hardware name: LENOVO System x3650 M5: -[8871AC1]- > /01KN179, > BIOS-[TCE132H-2.50]- 10/11/2017 > [ 146.184691] Workqueue: ib_cm cm_work_handler [ib_cm] [ 146.185632] RIP: > 0010:addr_resolve+0x9e/0x3e0 [ib_core] [ 146.186584] RSP: > 0018:ffffc9000362faa0 EFLAGS: 00010246 [ 146.187521] RAX: > 000000000000001b RBX: ffffc9000362fc08 RCX: > 0000000000000006 > [ 146.188472] RDX: 0000000000000000 RSI: 0000000000000096 RDI: > ffff88087fc16990 > [ 146.189427] RBP: ffffc9000362fb18 R08: 00000000ffffff9d R09: > 00000000000004ac > [ 146.190392] R10: 00000000000001e7 R11: 0000000000000001 R12: > ffff88086af2e090 > [ 146.191361] R13: 0000000000000000 R14: 0000000000000001 R15: > 00000000ffffff9d > [ 146.192327] FS: 0000000000000000(0000) GS:ffff88087fc00000(0000) > knlGS:0000000000000000 > [ 146.193301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ > 146.194274] CR2: 00000000000004a0 CR3: 000000000220a002 CR4: > 00000000003606e0 > [ 146.195258] DR0: 0000000000000000 DR1: 0000000000000000 DR2: > 0000000000000000 > [ 146.196256] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: > 0000000000000400 > [ 146.197231] Call Trace: > [ 146.198209] ? rdma_addr_register_client+0x30/0x30 [ib_core] [ 146.199199] > rdma_resolve_ip+0x1af/0x280 [ib_core] [ 146.200196] > rdma_addr_find_l2_eth_by_grh+0x154/0x2b0 [ib_core] > > Signed-off-by: Muneendra > --- > drivers/infiniband/core/addr.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index > a5b4cf0..d61ed45 100644 > --- a/drivers/infiniband/core/addr.c > +++ b/drivers/infiniband/core/addr.c > @@ -523,7 +523,8 @@ static int addr_resolve(struct sockaddr *src_in, > ndev = dev_get_by_index(addr->net, > addr->bound_dev_if); > } else { > ndev = rt->dst.dev; > - dev_hold(ndev); > + if (ndev) > + dev_hold(ndev); Given that if addr4_resolve() or addr6_resolve() fails, rt and dst entries are not accessed, this ndev should not be NULL, do you see this NULL too? > } > > ip_rt_put(rt); > @@ -544,7 +545,8 @@ static int addr_resolve(struct sockaddr *src_in, > ndev = dev_get_by_index(addr->net, > addr->bound_dev_if); > } else { > ndev = dst->dev; > - dev_hold(ndev); > + if (ndev) > + dev_hold(ndev); > } > > dst_release(dst); > @@ -556,12 +558,15 @@ static int addr_resolve(struct sockaddr *src_in, > * Put the loopback device and get the translated > * device instead. > */ > - dev_put(ndev); > + if (ndev) > + dev_put(ndev); > ndev = dev_get_by_index(addr->net, addr->bound_dev_if); > } else { > addr->bound_dev_if = ndev->ifindex; > } > - dev_put(ndev); > + /*The ndev could be null */ > + if (ndev) > + dev_put(ndev); > > return ret; > } > -- > 1.8.3.1 > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body > of a message to majordomo@vger.kernel.org More majordomo info at > http://vger.kernel.org/majordomo-info.html diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index a039a49..4af043e 100644 --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -550,19 +550,13 @@ static int addr_resolve(struct sockaddr *src_in, dst_release(dst); } - if (ndev->flags & IFF_LOOPBACK) { - ret = rdma_translate_ip(dst_in, addr); - /* - * Put the loopback device and get the translated - * device instead. - */ + if (ndev) { + if (ndev->flags & IFF_LOOPBACK) + ret = rdma_translate_ip(dst_in, addr); + else + addr->bound_dev_if = ndev->ifindex; dev_put(ndev); - ndev = dev_get_by_index(addr->net, addr->bound_dev_if); - } else { - addr->bound_dev_if = ndev->ifindex; } - dev_put(ndev); - return ret; }