diff options
| author |   Yishai Hadas <yishaih@mellanox.com> | 2019-01-24 15:00:07 +0200 |
|---|---|---|
| committer |   Jason Gunthorpe <jgg@mellanox.com> | 2019-01-25 11:58:06 -0700 |
| commit | f8ade8e2429758efa1eddf0a6e2cc936714afc8d (patch) | |
| tree | c725f909508b6abf6704f385e2ebe61b70f7628b /drivers/infiniband/core | |
| parent | RDMA/mlx5: Fix flow creation on representors (diff) | |
| download | linux-dev-f8ade8e2429758efa1eddf0a6e2cc936714afc8d.tar.xz linux-dev-f8ade8e2429758efa1eddf0a6e2cc936714afc8d.zip | |
IB/uverbs: Fix ioctl query port to consider device disassociation
Methods cannot peak into the ufile, the only way to get a ucontext and
hence a device is via the ib_uverbs_get_ucontext() call or inspecing a
locked uobject.
Otherwise during/after disassociation the pointers may be null or free'd.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
PGD 800000005ece6067 P4D 800000005ece6067 PUD 5ece7067 PMD 0
Oops: 0000 [#1] SMP PTI
CPU: 0 PID: 10631 Comm: ibv_ud_pingpong Tainted: GW OE 4.20.0-rc6+ #3
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_PORT+0x53/0x191 [ib_uverbs]
Code: 80 00 00 00 31 c0 48 8b 47 40 48 8d 5c 24 38 48 8d 6c 24
08 48 89 df 48 8b 40 08 4c 8b a0 18 03 00 00 31 c0 f3 48 ab 48 89
ef <49> 83 7c 24 78 00 b1 06 f3 48 ab 0f 84 89 00 00 00 45 31 c9 31 d2
RSP: 0018:ffffb54802ccfb10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffb54802ccfb48 RCX:0000000000000000
RDX: fffffffffffffffa RSI: ffffb54802ccfcf8 RDI:ffffb54802ccfb18
RBP: ffffb54802ccfb18 R08: ffffb54802ccfd18 R09:0000000000000000
R10: 0000000000000000 R11: 00000000000000d0 R12:0000000000000000
R13: ffffb54802ccfcb0 R14: ffffb54802ccfc48 R15:ffff9f736e0059a0
FS: 00007f55a6bd7740(0000) GS:ffff9f737ba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000078 CR3: 0000000064214000 CR4:00000000000006f0
Call Trace:
ib_uverbs_cmd_verbs.isra.5+0x94d/0xa60 [ib_uverbs]
? copy_port_attr_to_resp+0x120/0x120 [ib_uverbs]
? arch_tlb_finish_mmu+0x16/0xc0
? tlb_finish_mmu+0x1f/0x30
? unmap_region+0xd9/0x120
ib_uverbs_ioctl+0xbc/0x120 [ib_uverbs]
do_vfs_ioctl+0xa9/0x620
? __do_munmap+0x29f/0x3a0
ksys_ioctl+0x60/0x90
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x5b/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f55a62cb567
Fixes: 641d1207d2ed ("IB/core: Move query port to ioctl")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'drivers/infiniband/core')
| -rw-r--r-- | drivers/infiniband/core/uverbs_std_types_device.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c index 5030ec480370..2a3f2f01028d 100644 --- a/drivers/infiniband/core/uverbs_std_types_device.c +++ b/drivers/infiniband/core/uverbs_std_types_device.c @@ -168,12 +168,18 @@ void copy_port_attr_to_resp(struct ib_port_attr *attr, static int UVERBS_HANDLER(UVERBS_METHOD_QUERY_PORT)( struct uverbs_attr_bundle *attrs) { - struct ib_device *ib_dev = attrs->ufile->device->ib_dev; + struct ib_device *ib_dev; struct ib_port_attr attr = {}; struct ib_uverbs_query_port_resp_ex resp = {}; + struct ib_ucontext *ucontext; int ret; u8 port_num; + ucontext = ib_uverbs_get_ucontext(attrs); + if (IS_ERR(ucontext)) + return PTR_ERR(ucontext); + ib_dev = ucontext->device; + /* FIXME: Extend the UAPI_DEF_OBJ_NEEDS_FN stuff.. */ if (!ib_dev->ops.query_port) return -EOPNOTSUPP; |