linux/drivers/infiniband/hw/mlx5
Mark Bloch 42cea83f95 IB/mlx5: Fix cleanup order on unload
On load we create private CQ/QP/PD in order to be used by UMR, we create
those resources after we register ourself as an IB device, and we destroy
them after we unregister as an IB device. This was changed by commit
16c1975f10 ("IB/mlx5: Create profile infrastructure to add and remove
stages") which moved the destruction before we unregistration. This
allowed to trigger an invalid memory access when unloading mlx5_ib while
there are open resources:

BUG: unable to handle kernel paging request at 00000001002c012c
...
Call Trace:
 mlx5_ib_post_send_wait+0x75/0x110 [mlx5_ib]
 __slab_free+0x9a/0x2d0
 delay_time_func+0x10/0x10 [mlx5_ib]
 unreg_umr.isra.15+0x4b/0x50 [mlx5_ib]
 mlx5_mr_cache_free+0x46/0x150 [mlx5_ib]
 clean_mr+0xc9/0x190 [mlx5_ib]
 dereg_mr+0xba/0xf0 [mlx5_ib]
 ib_dereg_mr+0x13/0x20 [ib_core]
 remove_commit_idr_uobject+0x16/0x70 [ib_uverbs]
 uverbs_cleanup_ucontext+0xe8/0x1a0 [ib_uverbs]
 ib_uverbs_cleanup_ucontext.isra.9+0x19/0x40 [ib_uverbs]
 ib_uverbs_remove_one+0x162/0x2e0 [ib_uverbs]
 ib_unregister_device+0xd4/0x190 [ib_core]
 __mlx5_ib_remove+0x2e/0x40 [mlx5_ib]
 mlx5_remove_device+0xf5/0x120 [mlx5_core]
 mlx5_unregister_interface+0x37/0x90 [mlx5_core]
 mlx5_ib_cleanup+0xc/0x225 [mlx5_ib]
 SyS_delete_module+0x153/0x230
 do_syscall_64+0x62/0x110
 entry_SYSCALL_64_after_hwframe+0x21/0x86
...

We restore the original behavior by breaking the UMR stage into two parts,
pre and post IB registration stages, this way we can restore the original
functionality and maintain clean separation of logic between stages.

Fixes: 16c1975f10 ("IB/mlx5: Create profile infrastructure to add and remove stages")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-03-14 16:44:02 -04:00
..
ah.c IB: Let ib_core resolve destination mac address 2017-10-18 12:10:36 -04:00
cmd.c IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cmd.h IB/mlx5: Fix congestion counters in LAG mode 2017-12-21 16:06:07 -07:00
cong.c IB/mlx5: Change debugfs to have per port contents 2018-01-08 11:42:22 -07:00
cq.c RDMA/mlx5: Fix integer overflow while resizing CQ 2018-03-09 18:10:48 -05:00
doorbell.c IB/mlx5: Fix Mellanox copyright note 2015-04-02 16:33:42 -04:00
gsi.c IB/mlx5: Fix iteration overrun in GSI qps 2016-08-02 14:32:51 -04:00
ib_virt.c IB/mlx5: Restore IB guid/policy for virtual functions 2017-07-24 10:34:28 -04:00
Kconfig net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality 2015-05-30 18:24:51 -07:00
mad.c IB/mlx5: Route MADs for dual port RoCE 2018-01-08 11:42:23 -07:00
main.c IB/mlx5: Fix cleanup order on unload 2018-03-14 16:44:02 -04:00
Makefile IB/mlx5: Add debug control parameters for congestion control 2017-07-24 10:34:28 -04:00
mem.c IB/mlx5: Simplify mlx5_ib_cont_pages 2017-09-25 11:47:24 -04:00
mlx5_ib.h IB/mlx5: Fix cleanup order on unload 2018-03-14 16:44:02 -04:00
mr.c RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory 2018-03-14 15:37:53 -04:00
odp.c IB/mlx5: Move locks initialization to the corresponding stage 2018-01-03 17:26:59 -07:00
qp.c IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq 2018-03-13 16:30:21 -04:00
srq.c IB/mlx5: Fix integer overflows in mlx5_ib_create_srq 2018-03-13 16:31:21 -04:00