linux/drivers/infiniband/core
Maor Gottlieb 870201f95f IB/uverbs: Fix NULL pointer dereference during device removal
As part of ib_uverbs_remove_one which might be triggered upon
reset flow, we trigger IB_EVENT_DEVICE_FATAL event to userspace
application.
If device was removed after uverbs fd was opened but before
ib_uverbs_get_context was called, the event file will be accessed
before it was allocated, result in NULL pointer dereference:

[ 72.325873] BUG: unable to handle kernel NULL pointer dereference at (null)
...
[ 72.325984] IP: _raw_spin_lock_irqsave+0x22/0x40
[ 72.327123] Call Trace:
[ 72.327168] ib_uverbs_async_handler.isra.8+0x2e/0x160 [ib_uverbs]
[ 72.327216] ? synchronize_srcu_expedited+0x27/0x30
[ 72.327269] ib_uverbs_remove_one+0x120/0x2c0 [ib_uverbs]
[ 72.327330] ib_unregister_device+0xd0/0x180 [ib_core]
[ 72.327373] mlx5_ib_remove+0x74/0x140 [mlx5_ib]
[ 72.327422] mlx5_remove_device+0xfb/0x110 [mlx5_core]
[ 72.327466] mlx5_unregister_interface+0x3c/0xa0 [mlx5_core]
[ 72.327509] mlx5_ib_cleanup+0x10/0x962 [mlx5_ib]
[ 72.327546] SyS_delete_module+0x155/0x230
[ 72.328472] ? exit_to_usermode_loop+0x70/0xa6
[ 72.329370] do_syscall_64+0x54/0xc0
[ 72.330262] entry_SYSCALL64_slow_path+0x25/0x25

Fix it by checking that user context was allocated before
trigger the event.

Fixes: 036b106357 ('IB/uverbs: Enable device removal when there are active user space applications')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-08-16 12:53:15 -04:00
..
addr.c IB/core: Fix race condition in resolving IP to MAC 2017-08-04 14:24:04 -04:00
agent.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
agent.h IB/mad: Add final OPA MAD processing 2015-06-12 14:49:18 -04:00
cache.c IB/core: Enforce PKey security on QPs 2017-05-23 12:26:59 -04:00
cgroup.c IB/core: added support to use rdma cgroup controller 2017-01-10 11:14:27 -05:00
cm_msgs.h IB/core: Fix unaligned accesses 2015-05-05 13:21:27 -04:00
cm.c RDMA/SA: Fix kernel panic in CMA request handler flow 2017-06-01 17:20:14 -04:00
cma_configfs.c IB/cma: Add default RoCE TOS to CMA configfs 2017-02-15 09:51:28 -05:00
cma.c RDMA/core: Initialize port_num in qp_attr 2017-07-20 11:24:13 -04:00
core_priv.h Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2017-07-05 11:26:35 -07:00
cq.c IB/cq: Don't process more than the given budget 2017-03-24 22:19:48 -04:00
device.c IB/core: Protect sysfs entry on ib_unregister_device 2017-08-16 11:47:55 -04:00
fmr_pool.c IB/fmr_pool: Convert the cleanup thread into kthread worker API 2017-04-25 14:24:17 -04:00
iwcm.c rdma_cm: add rdma_reject_msg() helper function 2016-12-14 11:38:28 -05:00
iwcm.h iw_cm: free cm_id resources on the last deref 2016-08-02 13:15:18 -04:00
iwpm_msg.c IB/core: Remove debug prints after allocation failure 2016-12-03 13:12:52 -05:00
iwpm_util.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
iwpm_util.h iwpm: crash fix for large connections test 2016-03-16 13:48:32 -04:00
mad_priv.h IB/mad: use CQ abstraction 2016-01-19 15:25:45 -05:00
mad_rmpp.c IB/core: Use rdma_ah_attr accessor functions 2017-05-01 14:32:43 -04:00
mad_rmpp.h
mad.c IB/core: Enforce security on management datagrams 2017-05-23 12:27:21 -04:00
Makefile IB/core: Enforce PKey security on QPs 2017-05-23 12:26:59 -04:00
mr_pool.c IB/core: add a simple MR pool 2016-05-13 13:37:18 -04:00
multicast.c IB/core: Define 'ib' and 'roce' rdma_ah_attr types 2017-05-01 14:32:43 -04:00
netlink.c RDMA/netlink: Reduce exposure of RDMA netlink functions 2017-06-01 17:20:11 -04:00
opa_smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
packer.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
rdma_core.c IB/core: Nullify ib_uobject during allocation 2017-04-20 11:44:07 -04:00
rdma_core.h IB/core: Add support for fd objects 2017-04-05 13:28:04 -04:00
roce_gid_mgmt.c IB/core: Add ordered workqueue for RoCE GID management 2017-07-17 21:21:25 -04:00
rw.c IB/core, RDMA RW API: Do not exceed QP SGE send limit 2016-08-02 12:02:41 -04:00
sa_query.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
sa.h
security.c IB/core: Fix uninitialized variable use in check_qp_port_pkey_settings 2017-07-07 09:49:26 +10:00
smi.c IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
sysfs.c IB/core: Add HDR speed enum 2017-04-21 12:29:31 -04:00
ucm.c char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
ucma.c IB/SA: Add OPA path record type 2017-05-01 14:39:02 -04:00
ud_header.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
umem_odp.c RDMA/umem: Fix missing mmap_sem in get umem ODP call 2017-06-01 17:20:13 -04:00
umem_rbtree.c IB/umem: Update on demand page (ODP) support 2017-02-14 11:41:17 -05:00
umem.c RDMA/core: not to set page dirty bit if it's already set. 2017-06-01 17:20:12 -04:00
user_mad.c char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
uverbs_cmd.c RDMA/uverbs: Prevent leak of reserved field 2017-08-04 14:24:05 -04:00
uverbs_main.c IB/uverbs: Fix NULL pointer dereference during device removal 2017-08-16 12:53:15 -04:00
uverbs_marshall.c RDMA/uverbs: Declare local function static and add brackets to sizeof 2017-06-01 17:20:12 -04:00
uverbs_std_types.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
uverbs.h IB/core: Introduce drop flow specification 2017-04-21 12:26:05 -04:00
verbs.c Revert "IB/core: Allow QP state transition from reset to error" 2017-07-23 10:52:00 +03:00