]>
Commit | Line | Data |
---|---|---|
59d5af67 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
905722fb | 2 | From: Parav Pandit <parav@mellanox.com> |
19894df4 | 3 | Date: Fri, 5 Jan 2018 23:51:12 +0100 |
59d5af67 FG |
4 | Subject: [PATCH] IB/core: Avoid crash on pkey enforcement failed in received |
5 | MADs | |
19894df4 FG |
6 | MIME-Version: 1.0 |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
905722fb FG |
9 | |
10 | commit 89548bcafec7ecfeea58c553f0834b5d575a66eb upstream. | |
11 | ||
12 | Below kernel crash is observed when Pkey security enforcement fails on | |
13 | received MADs. This issue is reported in [1]. | |
14 | ||
15 | ib_free_recv_mad() accesses the rmpp_list, whose initialization is | |
16 | needed before accessing it. | |
17 | When security enformcent fails on received MADs, MAD processing avoided | |
18 | due to security checks failed. | |
19 | ||
20 | OpenSM[3770]: SM port is down | |
21 | kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 | |
22 | kernel: IP: ib_free_recv_mad+0x44/0xa0 [ib_core] | |
23 | kernel: PGD 0 | |
24 | kernel: P4D 0 | |
25 | kernel: | |
26 | kernel: Oops: 0002 [#1] SMP | |
27 | kernel: CPU: 0 PID: 2833 Comm: kworker/0:1H Tainted: P IO 4.13.4-1-pve #1 | |
28 | kernel: Hardware name: Dell XS23-TY3 /9CMP63, BIOS 1.71 09/17/2013 | |
29 | kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] | |
30 | kernel: task: ffffa069c6541600 task.stack: ffffb9a729054000 | |
31 | kernel: RIP: 0010:ib_free_recv_mad+0x44/0xa0 [ib_core] | |
32 | kernel: RSP: 0018:ffffb9a729057d38 EFLAGS: 00010286 | |
33 | kernel: RAX: ffffa069cb138a48 RBX: ffffa069cb138a10 RCX: 0000000000000000 | |
34 | kernel: RDX: ffffb9a729057d38 RSI: 0000000000000000 RDI: ffffa069cb138a20 | |
35 | kernel: RBP: ffffb9a729057d60 R08: ffffa072d2d49800 R09: ffffa069cb138ae0 | |
36 | kernel: R10: ffffa069cb138ae0 R11: ffffa072b3994e00 R12: ffffb9a729057d38 | |
37 | kernel: R13: ffffa069d1c90000 R14: 0000000000000000 R15: ffffa069d1c90880 | |
38 | kernel: FS: 0000000000000000(0000) GS:ffffa069dba00000(0000) knlGS:0000000000000000 | |
39 | kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
40 | kernel: CR2: 0000000000000008 CR3: 00000011f51f2000 CR4: 00000000000006f0 | |
41 | kernel: Call Trace: | |
42 | kernel: ib_mad_recv_done+0x5cc/0xb50 [ib_core] | |
43 | kernel: __ib_process_cq+0x5c/0xb0 [ib_core] | |
44 | kernel: ib_cq_poll_work+0x20/0x60 [ib_core] | |
45 | kernel: process_one_work+0x1e9/0x410 | |
46 | kernel: worker_thread+0x4b/0x410 | |
47 | kernel: kthread+0x109/0x140 | |
48 | kernel: ? process_one_work+0x410/0x410 | |
49 | kernel: ? kthread_create_on_node+0x70/0x70 | |
50 | kernel: ? SyS_exit_group+0x14/0x20 | |
51 | kernel: ret_from_fork+0x25/0x30 | |
52 | kernel: RIP: ib_free_recv_mad+0x44/0xa0 [ib_core] RSP: ffffb9a729057d38 | |
53 | kernel: CR2: 0000000000000008 | |
54 | ||
55 | [1] : https://www.spinics.net/lists/linux-rdma/msg56190.html | |
56 | ||
57 | Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams") | |
58 | Signed-off-by: Parav Pandit <parav@mellanox.com> | |
59 | Reported-by: Chris Blake <chrisrblake93@gmail.com> | |
60 | Reviewed-by: Daniel Jurgens <danielj@mellanox.com> | |
61 | Reviewed-by: Hal Rosenstock <hal@mellanox.com> | |
62 | Signed-off-by: Doug Ledford <dledford@redhat.com> | |
63 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
64 | ||
65 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
66 | --- | |
67 | drivers/infiniband/core/mad.c | 3 ++- | |
68 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
69 | ||
70 | diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c | |
71 | index f8f53bb90837..cb91245e9163 100644 | |
72 | --- a/drivers/infiniband/core/mad.c | |
73 | +++ b/drivers/infiniband/core/mad.c | |
74 | @@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv, | |
75 | unsigned long flags; | |
76 | int ret; | |
77 | ||
78 | + INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); | |
79 | ret = ib_mad_enforce_security(mad_agent_priv, | |
80 | mad_recv_wc->wc->pkey_index); | |
81 | if (ret) { | |
82 | ib_free_recv_mad(mad_recv_wc); | |
83 | deref_mad_agent(mad_agent_priv); | |
84 | + return; | |
85 | } | |
86 | ||
87 | - INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); | |
88 | list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list); | |
89 | if (ib_mad_kernel_rmpp_agent(&mad_agent_priv->agent)) { | |
90 | mad_recv_wc = ib_process_rmpp_recv_wc(mad_agent_priv, | |
91 | -- | |
92 | 2.14.2 | |
93 |