2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-26 22:24:09 +08:00
linux-next/drivers
Sagi Grimberg 7fbc67df2c IB/srp: Fix possible protection fault
srp_destroy_qp is designed to indicate we are safe to continue with
freeing the channel resources by modifying the qp error state,
posting a dummy wr on the queue-pair and waiting for it to flush.
This also holds for the channel registration pool as we are unmapping
the memory region when handling a scsi response. Destroying the
channel registration pool before we make sure we processed all the
inflight IO might introduce a use-after-free of the registration pool.

This use-after-free is demonstrated in the stack trace below where
srp is trying to unmap a used FMR after the fmr_pool was already destroyed.

general protection fault: 0000 [#1] SMP
RIP: 0010:[<ffffffff8151121b>]  [<ffffffff8151121b>] _raw_spin_lock_irqsave+0x1b/0x50
Call Trace:
 [<ffffffffa055d88a>] ib_fmr_pool_unmap+0x1a/0xb0 [ib_core]
 [<ffffffffa06c00ed>] srp_unmap_data.isra.28+0x17d/0x250 [ib_srp]
 [<ffffffffa06c01eb>] srp_free_req+0x2b/0x60 [ib_srp]
 [<ffffffffa06c0c94>] srp_recv_completion+0x174/0x580 [ib_srp]
 [<ffffffffa04580fe>] mlx4_eq_int+0x4de/0xe50 [mlx4_core]
 [<ffffffffa0458b00>] mlx4_msi_x_interrupt+0x10/0x20 [mlx4_core]
 [<ffffffff810abc45>] handle_irq_event_percpu+0x35/0x1b0
 [<ffffffff810abdf2>] handle_irq_event+0x32/0x50
 [<ffffffff810ae5cf>] handle_edge_irq+0x6f/0x120
 [<ffffffff8100455a>] handle_irq+0x1a/0x30
 [<ffffffff8151b475>] do_IRQ+0x45/0xb0
 [<ffffffff8151162d>] common_interrupt+0x6d/0x6d
 [<ffffffff813e4d2f>] cpuidle_enter_state+0x4f/0xc0
 [<ffffffff813e4e6c>] cpuidle_idle_call+0xcc/0x210
 [<ffffffff8100b9ea>] arch_cpu_idle+0xa/0x30
 [<ffffffff810ab1e1>] cpu_startup_entry+0xe1/0x270
 [<ffffffff81030b3a>] start_secondary+0x21a/0x2c0

Reported-by: Eliott Kespi <eliottk@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2015-09-03 15:59:48 -04:00
..
accessibility
acpi ACPI / video: Fix circular lock dependency issue in the video-detect code 2015-08-14 11:20:20 +02:00
amba
android
ata Merge branch 'for-4.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2015-08-17 16:20:45 -07:00
atm
auxdisplay
base regmap: Fix handling of present bits on rbtree cache block resize 2015-08-12 09:06:39 -07:00
bcma
block zram: fix pool name truncation 2015-08-14 15:56:32 -07:00
bluetooth Bluetooth: btbcm: allow btbcm_read_verbose_config to fail on Apple 2015-07-14 22:54:55 +02:00
bus ARM: SoC: driver updates for v4.2 2015-06-26 11:54:29 -07:00
cdrom
char Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2015-08-03 10:53:58 -07:00
clk A one-liner for a regression found in the PXA clock driver. 2015-08-14 16:10:04 -07:00
clocksource clocksource/imx: Fix boot with non-DT systems 2015-08-20 17:22:56 +02:00
connector
cpufreq cpufreq: exynos: Fix for memory leak in case SoC name does not match 2015-08-14 11:33:47 +02:00
cpuidle suspend-to-idle: Prevent RCU from complaining about tick_freeze() 2015-07-09 22:59:49 +02:00
crypto crypto: caam - fix memory corruption in ahash_final_ctx 2015-08-13 15:08:25 +08:00
dca
devfreq
dio
dma dmaengine: fix balance of privatecnt inc/dec operations 2015-08-17 22:47:43 +05:30
dma-buf
edac EDAC, ppc4xx: Access mci->csrows array elements properly 2015-08-13 06:02:19 +02:00
eisa
extcon extcon: Fix extcon_cable_get_state() from getting old state after notification 2015-07-31 15:18:41 +09:00
firewire
firmware FIRMWARE: bcm47xx_nvram: Fix module license. 2015-08-19 15:00:08 +02:00
fmc
gpio Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-18 10:27:12 -07:00
gpu drm/radeon: fix hotplug race at startup 2015-08-21 19:43:18 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2015-08-10 15:16:48 -07:00
hsi Fix up implicit <module.h> users that will break later. 2015-07-02 10:25:22 -07:00
hv
hwmon hwmon: (g762) Export OF module alias information 2015-08-05 08:31:59 -07:00
hwspinlock hwspinlock: qcom: Correct msb in regmap_field 2015-07-01 16:15:05 +03:00
hwtracing/coresight
i2c i2c: fix leaked device refcount on of_find_i2c_* error path 2015-08-01 12:11:58 +02:00
ide Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
idle
iio iio:light:stk3310: make endianness independent of host 2015-07-19 14:54:45 +01:00
infiniband IB/srp: Fix possible protection fault 2015-09-03 15:59:48 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-08-21 10:54:53 -07:00
iommu iommu/amd: Allow non-ATS devices in IOMMUv2 domains 2015-07-31 15:15:41 +02:00
ipack
irqchip irqchip/crossbar: Restore set_wake functionality 2015-08-20 00:25:26 +02:00
isdn isdn/gigaset: drop unused ldisc methods 2015-07-15 17:24:45 -07:00
leds Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds 2015-07-01 19:09:11 -07:00
lguest Merge branch 'x86-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-06-22 17:59:09 -07:00
macintosh macintosh/ans-lcd: fix build failure after module_init/exit relocation 2015-07-23 20:00:35 +10:00
mailbox Replace module_init with appropriate alternate initcall in non modules. 2015-07-02 10:36:29 -07:00
mcb
md dm cache policy smq: move 'dm-cache-default' module alias to SMQ 2015-08-12 11:27:29 -04:00
media media fixes for v4.2-rc8 2015-08-21 11:03:06 -07:00
memory memory: omap-gpmc: Don't try to save uninitialized GPMC context 2015-08-12 01:43:49 -07:00
memstick memstick: remove deprecated use of pci api 2015-06-30 19:44:57 -07:00
message
mfd - Fix dependency issues on ChromeOS platforms 2015-08-10 10:48:11 -07:00
misc Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2015-08-03 14:51:30 -07:00
mmc mmc: sdhci-pxav3: fix platform_data is not initialized 2015-07-24 10:18:39 +02:00
mtd Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
net net/mlx4: Postpone the registration of net_device 2015-08-30 18:12:20 -04:00
nfc Char/Misc driver patches for 4.2-rc1 2015-06-26 14:51:15 -07:00
ntb ntb: avoid format string in dev_set_name 2015-08-09 16:32:22 -04:00
nubus
nvdimm libnvdimm: fix namespace seed creation 2015-07-25 09:57:56 -07:00
of of: Drop owner assignment from platform and i2c driver 2015-07-27 08:24:39 -05:00
oprofile
parisc
parport parport: Revert "parport: fix memory leak" 2015-07-25 12:48:05 -07:00
pci PCI: Don't use 64-bit bus addresses on PA-RISC 2015-08-20 17:16:37 -05:00
pcmcia Fix up implicit <module.h> users that will break later. 2015-07-02 10:25:22 -07:00
phy phy: ti-pipe3: i783 workaround for SATA lockup after dpll unlock/relock 2015-08-01 15:52:58 +05:30
pinctrl Pin control fixes for the v4.2 series: 2015-07-21 15:27:27 -07:00
platform - Fix dependency issues on ChromeOS platforms 2015-08-10 10:48:11 -07:00
pnp ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage 2015-07-06 23:52:21 +02:00
power Replace module_platform_driver with builtin_platform driver in non modules. 2015-07-02 10:42:13 -07:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v4.2-rc1 2015-06-23 13:32:38 -07:00
rapidio Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-06-23 14:08:54 -07:00
ras
regulator Merge remote-tracking branches 'regulator/fix/88pm800', 'regulator/fix/max8973', 'regulator/fix/s2mps11' and 'regulator/fix/supply' into regulator-linus 2015-07-24 16:19:25 +01:00
remoteproc remoteproc: fix !CONFIG_OF build breakage 2015-06-18 11:44:41 +03:00
reset
rpmsg
rtc rtc: armada38x: Remove unused variable from armada38x_rtc_set_time() 2015-07-18 00:42:31 +02:00
s390 virtio/vhost: fixes for 4.2 2015-07-23 13:07:04 -07:00
sbus
scsi SCSI fixes on 20150823 2015-08-23 20:46:22 -07:00
sfi
sh Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-01 15:19:35 -07:00
sn
soc ARM: SoC: late fixes and dependencies 2015-07-02 14:40:49 -07:00
spi Merge remote-tracking branches 'spi/fix/gqspi', 'spi/fix/imx', 'spi/fix/mg-spfi' and 'spi/fix/spidev' into spi-linus 2015-07-24 16:19:50 +01:00
spmi
ssb
staging IB/hfi1: Add CSRs for CONFIG_SDMA_VERBOSITY 2015-09-03 15:27:45 -04:00
target target: Fix handling of small allocation lengths in REPORT LUNS 2015-08-18 21:51:54 -07:00
tc
thermal thermal/cpu_cooling: update policy limits if clipped_freq < policy->max 2015-08-14 18:26:23 -07:00
thunderbolt
tty tty: vt: Fix !TASK_RUNNING diagnostic warning from paste_selection() 2015-07-23 18:08:29 -07:00
uio
usb drivers/usb: Delete XHCI command timer if necessary 2015-08-03 14:41:48 -07:00
uwb
vfio vfio: Fix lockdep issue 2015-07-24 15:14:04 -06:00
vhost vhost: fix error handling for memory region alloc 2015-07-27 18:05:05 +03:00
video fbcon: unconditionally initialize cursor blink interval 2015-08-10 17:20:32 +03:00
virt
virtio virtio-input: reset device and detach unused during remove 2015-08-06 10:40:35 +03:00
vlynq
vme
w1
watchdog Update Viresh Kumar's email address 2015-07-17 16:39:53 -07:00
xen xen: bug fixes for 4.2-rc6 2015-08-13 13:36:22 -07:00
zorro
Kconfig libnvdimm, nfit: initial libnvdimm infrastructure and NFIT support 2015-06-24 21:24:10 -04:00
Makefile The libnvdimm sub-system introduces, in addition to the libnvdimm-core, 2015-06-29 10:34:42 -07:00