| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 May 2022 12:37:25 +0800
From: Li Zhijian <lizhijian@...itsu.com>
To: Zhu Yanjun <zyjzyj2000@...il.com>, Jason Gunthorpe <jgg@...pe.ca>,
<linux-rdma@...r.kernel.org>, Bob Pearson <rpearsonhpe@...il.com>
CC: <linux-kernel@...r.kernel.org>, Li Zhijian <lizhijian@...itsu.com>
Subject: [PATCH] RDMA/rxe: Use kzalloc() to alloc map_set
Below call chains will alloc map_set without fully initializing map_set.
rxe_mr_init_fast()
-> rxe_mr_alloc()
-> rxe_mr_alloc_map_set()
Uninitialized values inside struct rxe_map_set are possible to cause
kernel panic.
It's noticed that crashes were caused by rnbd user cases, it can be
easily reproduced by:
$ while true; do echo "sessname=bla path=ip:<ip> device_path=<device>" > /sys/devices/virtual/rnbd-client/ctl/map_device; done
The backtraces are not always identical.
[1st]----------
[ 80.158930] CPU: 0 PID: 11 Comm: ksoftirqd/0 Not tainted 5.18.0-rc1-roce-flush+ #60 [0/9090]
[ 80.160736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014
[ 80.163579] RIP: 0010:lookup_iova+0x66/0xa0 [rdma_rxe]
[ 80.164825] Code: 00 00 00 48 d3 ee 89 32 c3 4c 8b 18 49 8b 3b 48 8b 47 08 48 39 c6 72 38 48 29 c6 45 31 d2 b8 01 00 00 00 48 63 c8 48 c1 e1 04 <48> 8b 4c 0f 08 48 39 f1 77 21 83 c0 01 48 29 ce 3d 00 01 00 00 75
[ 80.168935] RSP: 0018:ffffb7ff80063bf0 EFLAGS: 00010246
[ 80.170333] RAX: 0000000000000000 RBX: ffff9b9949d86800 RCX: 0000000000000000
[ 80.171976] RDX: ffffb7ff80063c00 RSI: 0000000049f6b378 RDI: 002818da00000004
[ 80.173606] RBP: 0000000000000120 R08: ffffb7ff80063c08 R09: ffffb7ff80063c04
[ 80.176933] R10: 0000000000000002 R11: ffff9b9916f7eef8 R12: ffff9b99488a0038
[ 80.178526] R13: ffff9b99488a0038 R14: ffff9b9914fb346a R15: ffff9b990ab27000
[ 80.180378] FS: 0000000000000000(0000) GS:ffff9b997dc00000(0000) knlGS:0000000000000000
[ 80.182257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 80.183577] CR2: 00007efc33a98ed0 CR3: 0000000014f32004 CR4: 00000000001706f0
[ 80.185210] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 80.186890] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 80.188517] Call Trace:
[ 80.189269] <TASK>
[ 80.189949] rxe_mr_copy.part.0+0x6f/0x140 [rdma_rxe]
[ 80.191173] rxe_responder+0x12ee/0x1b60 [rdma_rxe]
[ 80.192409] ? rxe_icrc_check+0x7e/0x100 [rdma_rxe]
[ 80.193576] ? rxe_rcv+0x1d0/0x780 [rdma_rxe]
[ 80.194668] ? rxe_icrc_hdr.isra.0+0xf6/0x160 [rdma_rxe]
[ 80.195952] rxe_do_task+0x67/0xb0 [rdma_rxe]
[ 80.197081] rxe_xmit_packet+0xc7/0x210 [rdma_rxe]
[ 80.198253] rxe_requester+0x680/0xee0 [rdma_rxe]
[ 80.199439] ? update_load_avg+0x5f/0x690
[ 80.200530] ? update_load_avg+0x5f/0x690
[ 80.213968] ? rtrs_clt_recv_done+0x1b/0x30 [rtrs_client]
[2nd]----------
[ 5213.049494] RIP: 0010:rxe_mr_copy.part.0+0xa8/0x140 [rdma_rxe]
[ 5213.050978] Code: 00 00 49 c1 e7 04 48 8b 00 4c 8d 2c d0 48 8b 44 24 10 4d 03 7d 00 85 ed 7f 10 eb 6c 89 54 24 0c 49 83 c7 10 31 c0 85 ed 7e 5e <49> 8b 3f 8b 14 24 4c 89 f6 48 01 c7 85 d2 74 06 48 89 fe 4c 89 f7
[ 5213.056463] RSP: 0018:ffffae3580063bf8 EFLAGS: 00010202
[ 5213.057986] RAX: 0000000000018978 RBX: ffff9d7ef7a03600 RCX: 0000000000000008
[ 5213.059797] RDX: 000000000000007c RSI: 000000000000007c RDI: ffff9d7ef7a03600
[ 5213.061720] RBP: 0000000000000120 R08: ffffae3580063c08 R09: ffffae3580063c04
[ 5213.063532] R10: ffff9d7efece0038 R11: ffff9d7ec4b1db00 R12: ffff9d7efece0038
[ 5213.065445] R13: ffff9d7ef4098260 R14: ffff9d7f11e23c6a R15: 4c79500065708144
[ 5213.067264] FS: 0000000000000000(0000) GS:ffff9d7f3dc00000(0000) knlGS:0000000000000000
[ 5213.069442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5213.071004] CR2: 00007fce47276c60 CR3: 0000000003f66004 CR4: 00000000001706f0
[ 5213.072827] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5213.074484] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5213.076292] Call Trace:
[ 5213.077027] <TASK>
[ 5213.077718] rxe_responder+0x12ee/0x1b60 [rdma_rxe]
[ 5213.079019] ? rxe_icrc_check+0x7e/0x100 [rdma_rxe]
[ 5213.080380] ? rxe_rcv+0x1d0/0x780 [rdma_rxe]
[ 5213.081708] ? rxe_icrc_hdr.isra.0+0xf6/0x160 [rdma_rxe]
[ 5213.082990] rxe_do_task+0x67/0xb0 [rdma_rxe]
[ 5213.084030] rxe_xmit_packet+0xc7/0x210 [rdma_rxe]
[ 5213.085156] rxe_requester+0x680/0xee0 [rdma_rxe]
[ 5213.088258] ? update_load_avg+0x5f/0x690
[ 5213.089381] ? update_load_avg+0x5f/0x690
[ 5213.090446] ? rtrs_clt_recv_done+0x1b/0x30 [rtrs_client]
[ 5213.092087] rxe_do_task+0x67/0xb0 [rdma_rxe]
[ 5213.093125] tasklet_action_common.constprop.0+0x92/0xc0
[ 5213.094366] __do_softirq+0xe1/0x2d8
[ 5213.095287] run_ksoftirqd+0x21/0x30
[ 5213.096456] smpboot_thread_fn+0x183/0x220
[ 5213.097519] ? sort_range+0x20/0x20
[ 5213.098761] kthread+0xe2/0x110
[ 5213.099638] ? kthread_complete_and_exit+0x20/0x20
[ 5213.100948] ret_from_fork+0x22/0x30
Signed-off-by: Li Zhijian <lizhijian@...itsu.com>
---
drivers/infiniband/sw/rxe/rxe_mr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index 60a31b718774..bfd2d9db3deb 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -81,7 +81,7 @@ static int rxe_mr_alloc_map_set(int num_map, struct rxe_map_set **setp)
int i;
struct rxe_map_set *set;
- set = kmalloc(sizeof(*set), GFP_KERNEL);
+ set = kzalloc(sizeof(*set), GFP_KERNEL);
if (!set)
goto err_out;
@@ -90,7 +90,7 @@ static int rxe_mr_alloc_map_set(int num_map, struct rxe_map_set **setp)
goto err_free_set;
for (i = 0; i < num_map; i++) {
- set->map[i] = kmalloc(sizeof(struct rxe_map), GFP_KERNEL);
+ set->map[i] = kzalloc(sizeof(struct rxe_map), GFP_KERNEL);
if (!set->map[i])
goto err_free_map;
}
--
2.31.1
Powered by blists - more mailing lists