IB/uverbs: Fix kernel crash during MR deregistration flow
authorAriel Levkovich <lariel@mellanox.com>
Thu, 26 Apr 2018 12:42:55 +0000 (15:42 +0300)
committerDoug Ledford <dledford@redhat.com>
Fri, 27 Apr 2018 18:22:24 +0000 (14:22 -0400)
This patch fixes a crash that happens due to access to an
uninitialized DM pointer within the MR object.

The change makes sure the DM pointer in the MR object is set to
NULL during a non-DM MR creation to prevent a false indication
that this MR is related to a DM in the dereg flow.

Fixes: be934cca9e98 ("IB/uverbs: Add device memory registration ioctl support")
Reported-by: Lijun Ou <oulijun@huawei.com>
Signed-off-by: Ariel Levkovich <lariel@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/core/uverbs_cmd.c
drivers/infiniband/core/verbs.c

index 1837924415c9ee452cdd92a3c771b1d9e8a78c0f..21a887c9523bc3a08fb7992a958cdfc4e4d9b3ad 100644 (file)
@@ -691,6 +691,7 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
 
        mr->device  = pd->device;
        mr->pd      = pd;
+       mr->dm      = NULL;
        mr->uobject = uobj;
        atomic_inc(&pd->usecnt);
        mr->res.type = RDMA_RESTRACK_MR;
index 7eff3aeffe01f37e8b0f2a6494911ca1e362eb6b..6ddfb1fade79abda9344820674d7ab46650f4cd4 100644 (file)
@@ -1656,6 +1656,7 @@ struct ib_mr *ib_alloc_mr(struct ib_pd *pd,
        if (!IS_ERR(mr)) {
                mr->device  = pd->device;
                mr->pd      = pd;
+               mr->dm      = NULL;
                mr->uobject = NULL;
                atomic_inc(&pd->usecnt);
                mr->need_inval = false;