Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp8379042ybl; Thu, 16 Jan 2020 15:41:17 -0800 (PST) X-Google-Smtp-Source: APXvYqy7V+5KbRDi4DP5P8vr/C06F82FodJieOeNoQ5aS5xSg5VN0ay8qNcjlf335wwPeE+E3yVK X-Received: by 2002:a9d:7f12:: with SMTP id j18mr4325481otq.17.1579218077100; Thu, 16 Jan 2020 15:41:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579218077; cv=none; d=google.com; s=arc-20160816; b=WbT7tpWBm53/OqPvALSKJZWZkRj/OSaz5n/Pdl4jDB0A2eU0an0RZtNpUwaMFkyyNH 3vUESmY0FpBStbPdZdeuYDYl2tTyq1J5/oK84/c8cXLnCHtTEsHZ6DKwRWARBN6ZihlQ AtQho9drqGmWR1FSxcSoQR4grCWCA9IIuXSqE4SzJv1ITm+/P40UMwrdG8fND5mfPDl4 X9PMp8BouNQbAKr+qWhrBM1OAXkObvxJTCmkcjnorBy9+VFTI6U6IiiULQume8uZIFTF zmAh37JNnC6GKHKQHDT3oln5N5vSoFZVDR3Qh1qgaq8HHlOoSAAL+jVOk0uKvszSnzOQ s45A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=u7v5mNC3a4ctFMOi5fSQ65/8ztCJ7C4DcQR1r+JsvXY=; b=YjVBiroyXvcU+nOJovq7dFV8UfWVkW63KWqRL1QzSOp7GCQT8eTULVBEOdA1JWq778 Os5NF8JDkcovf+9zFcfOXx6Cr1JUAvY+X9RAMy2jkGyLyru4WktLikJFRgTkQ10aVWu8 o7f5+PUYP2Qi+l+/PF6iLTSFuHvaT7pyCuP7kBkOJjcqe6UAOX9bpzOm6vp4k8gxRKUM wNMvVfaOg9wX8iM+OUTAPEsoq71m3JKkL9FAmwE3HehFByIVPr8WYnyi0HoTUSFcxHe7 RR52fanSTB7NiIQdRj4kDosQxmsFSux61xZkWr4UUAuSyfC/KlRPf8+kE2FnDT09Xxyb sjzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mjVrixY9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a23si7923987otr.244.2020.01.16.15.41.04; Thu, 16 Jan 2020 15:41:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mjVrixY9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387718AbgAPXjn (ORCPT + 99 others); Thu, 16 Jan 2020 18:39:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:60406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390315AbgAPX17 (ORCPT ); Thu, 16 Jan 2020 18:27:59 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E466020684; Thu, 16 Jan 2020 23:27:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579217279; bh=KNMUoW2XH5IzFZtNLY8+UWNfcdNo7DhgtsCcv8xcdIg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mjVrixY9R7yWp89ICMg6AvCfSCPUvm8ZL6uWqgQjubVvt2TNNSwjUW/UOIzKb5Alz 8/Ps9/n0GEGxsNpQA2egW9TQP6LV0WWngec88STOmd3AExncv0eIPpzCyyShsuChYa /f5TtGNpHqshAJoqWvsnWn+7A0kNloTHPuRFnghc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Selvin Xavier , Jason Gunthorpe Subject: [PATCH 4.19 18/84] RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Date: Fri, 17 Jan 2020 00:17:52 +0100 Message-Id: <20200116231715.784465944@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200116231713.087649517@linuxfoundation.org> References: <20200116231713.087649517@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Selvin Xavier commit 9a4467a6b282a299b932608ac2c9034f8415359f upstream. The driver returns an error code for MR dereg, but frees the MR structure. When the MR dereg is retried due to previous error, the system crashes as the structure is already freed. BUG: unable to handle kernel NULL pointer dereference at 00000000000001b8 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 7 PID: 12178 Comm: ib_send_bw Kdump: loaded Not tainted 4.18.0-124.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.1.10 03/10/2015 RIP: 0010:__dev_printk+0x2a/0x70 Code: 0f 1f 44 00 00 49 89 d1 48 85 f6 0f 84 f6 2b 00 00 4c 8b 46 70 4d 85 c0 75 04 4c 8b 46 10 48 8b 86 a8 00 00 00 48 85 c0 74 16 <48> 8b 08 0f be 7f 01 48 c7 c2 13 ac ac 83 83 ef 30 e9 10 fe ff ff RSP: 0018:ffffaf7c04607a60 EFLAGS: 00010006 RAX: 00000000000001b8 RBX: ffffa0010c91c488 RCX: 0000000000000246 RDX: ffffaf7c04607a68 RSI: ffffa0010c91caa8 RDI: ffffffff83a788eb RBP: ffffaf7c04607ac8 R08: 0000000000000000 R09: ffffaf7c04607a68 R10: 0000000000000000 R11: 0000000000000001 R12: ffffaf7c04607b90 R13: 000000000000000e R14: 0000000000000000 R15: 00000000ffffa001 FS: 0000146fa1f1cdc0(0000) GS:ffffa0012fac0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b8 CR3: 000000007680a003 CR4: 00000000001606e0 Call Trace: dev_err+0x6c/0x90 ? dev_printk_emit+0x4e/0x70 bnxt_qplib_rcfw_send_message+0x594/0x660 [bnxt_re] ? dev_err+0x6c/0x90 bnxt_qplib_free_mrw+0x80/0xe0 [bnxt_re] bnxt_re_dereg_mr+0x2e/0xd0 [bnxt_re] ib_dereg_mr+0x2f/0x50 [ib_core] destroy_hw_idr_uobject+0x20/0x70 [ib_uverbs] uverbs_destroy_uobject+0x2e/0x170 [ib_uverbs] __uverbs_cleanup_ufile+0x6e/0x90 [ib_uverbs] uverbs_destroy_ufile_hw+0x61/0x130 [ib_uverbs] ib_uverbs_close+0x1f/0x80 [ib_uverbs] __fput+0xb7/0x230 task_work_run+0x8a/0xb0 do_exit+0x2da/0xb40 ... RIP: 0033:0x146fa113a387 Code: Bad RIP value. RSP: 002b:00007fff945d1478 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02 RAX: 0000000000000000 RBX: 000055a248908d70 RCX: 0000000000000000 RDX: 0000146fa1f2b000 RSI: 0000000000000001 RDI: 000055a248906488 RBP: 000055a248909630 R08: 0000000000010000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000055a248906488 R13: 0000000000000001 R14: 0000000000000000 R15: 000055a2489095f0 Do not free the MR structures, when driver returns error to the stack. Fixes: 872f3578241d ("RDMA/bnxt_re: Add support for MRs with Huge pages") Link: https://lore.kernel.org/r/1574671174-5064-2-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -3368,8 +3368,10 @@ int bnxt_re_dereg_mr(struct ib_mr *ib_mr int rc; rc = bnxt_qplib_free_mrw(&rdev->qplib_res, &mr->qplib_mr); - if (rc) + if (rc) { dev_err(rdev_to_dev(rdev), "Dereg MR failed: %#x\n", rc); + return rc; + } if (mr->pages) { rc = bnxt_qplib_free_fast_reg_page_list(&rdev->qplib_res,