Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4563357imu; Tue, 29 Jan 2019 03:52:41 -0800 (PST) X-Google-Smtp-Source: ALg8bN7RmgtRXPcLNFHjtF81rhr9KVPA5B4EKJrcXNlfXU60zbMsRlDIve93B8jdOEsf5LCl4Ep1 X-Received: by 2002:a65:4049:: with SMTP id h9mr23016658pgp.304.1548762761613; Tue, 29 Jan 2019 03:52:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548762761; cv=none; d=google.com; s=arc-20160816; b=pahwjKZEZWdWb865x6DY7Hg/taOxZoZ/jEO0mY54L0IO888ofjor3dW1QblAGXggDf u5/L64ZHh+1AHoG1HnDI5uAF6beRIFbM1OPTSSk4Zj4bwOlI8iablD649S/fuXlWqSae w87LPLoafW9KG/50PQ46GWfSBwSuGhIF4rdpRJKriAjJ6nUme38J8mmcNb1Qe/2Dm0UA 15jvQBaf3RSaqDBGwiWDldlqg/WioqHDXxYpEjhiEIp9+Vox1lmtxcwAdgYfA5T7hiKp 4uCsvmaCDTZESbX7Roo0fBbLU+sgmV3hcwCaZ9y1zJGc7hX/TW55VoO2lpOJTg+NHwJ4 9Fvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VDIu4vq0v6Yf6JsOp5Nju4/lnQvDE5FXHVK8bf916/o=; b=KT+Fw2JsNPYupO6BBaMsedbb6Qp3tbohbDern9m5zUdATB2VVNYafDRXrSWDuKMTsg nAGkDV65eXk/dwkSvK/X5nM0piKY5B3yh6i/xQ8z7Tiial83B4phbY0ODHby/Q9kQR7G F2Jdl97Q/Kf9xi/oImsn5IAmpawT4Ya6rZv59DHzE+aTg8Q34GQkJF/5OJ4SccQbTa7Z js3xAVogU2pFdQ+/6mjib6tPofkzbeGpOos7Ofn25Gfe3sue/X7whCvghSbaIdPd3QQH qLMKtrTg+feu1GiSQGIt0mpN8NVsEbkQIKWGt5sCGS8U/dnGemN8kaJnsZ8F81toMH3v HRhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R+GhfJZ0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 37si37745885plq.210.2019.01.29.03.52.26; Tue, 29 Jan 2019 03:52:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R+GhfJZ0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732076AbfA2LwU (ORCPT + 99 others); Tue, 29 Jan 2019 06:52:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:44138 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732063AbfA2LwT (ORCPT ); Tue, 29 Jan 2019 06:52:19 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ECC542086C; Tue, 29 Jan 2019 11:52:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548762738; bh=SzEgPNhJWWqjYuTVuXJbpqIHApJL6+0BdS0QcNHlFD4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R+GhfJZ0NIemVYNCm/MCBS0N7SEyWmqb97BVUV9XjUfR0wnDrL+/Qu8l7FBC6WTek XdfaTBJVXtq6/XbqhXVxE9mreIlguQn+k0WmP/8kiOAFoop0q9AoUr/yIDVIJS/g2x FeJPDrVUbvFSad6QK+iav3Pebp7pdiI75qt7Acr4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Max Gurtovoy , Christoph Hellwig , Raju Rangoju , Sagi Grimberg , Jens Axboe Subject: [PATCH 4.9 41/44] nvmet-rdma: fix null dereference under heavy load Date: Tue, 29 Jan 2019 12:36:36 +0100 Message-Id: <20190129113143.290397932@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190129113139.826927690@linuxfoundation.org> References: <20190129113139.826927690@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Raju Rangoju commit 5cbab6303b4791a3e6713dfe2c5fda6a867f9adc upstream. Under heavy load if we don't have any pre-allocated rsps left, we dynamically allocate a rsp, but we are not actually allocating memory for nvme_completion (rsp->req.rsp). In such a case, accessing pointer fields (req->rsp->status) in nvmet_req_init() will result in crash. To fix this, allocate the memory for nvme_completion by calling nvmet_rdma_alloc_rsp() Fixes: 8407879c("nvmet-rdma:fix possible bogus dereference under heavy load") Cc: Reviewed-by: Max Gurtovoy Reviewed-by: Christoph Hellwig Signed-off-by: Raju Rangoju Signed-off-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/nvme/target/rdma.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -137,6 +137,10 @@ static void nvmet_rdma_recv_done(struct static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc); static void nvmet_rdma_qp_event(struct ib_event *event, void *priv); static void nvmet_rdma_queue_disconnect(struct nvmet_rdma_queue *queue); +static void nvmet_rdma_free_rsp(struct nvmet_rdma_device *ndev, + struct nvmet_rdma_rsp *r); +static int nvmet_rdma_alloc_rsp(struct nvmet_rdma_device *ndev, + struct nvmet_rdma_rsp *r); static struct nvmet_fabrics_ops nvmet_rdma_ops; @@ -175,9 +179,17 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_que spin_unlock_irqrestore(&queue->rsps_lock, flags); if (unlikely(!rsp)) { - rsp = kmalloc(sizeof(*rsp), GFP_KERNEL); + int ret; + + rsp = kzalloc(sizeof(*rsp), GFP_KERNEL); if (unlikely(!rsp)) return NULL; + ret = nvmet_rdma_alloc_rsp(queue->dev, rsp); + if (unlikely(ret)) { + kfree(rsp); + return NULL; + } + rsp->allocated = true; } @@ -190,6 +202,7 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp unsigned long flags; if (unlikely(rsp->allocated)) { + nvmet_rdma_free_rsp(rsp->queue->dev, rsp); kfree(rsp); return; }