RDS: RDMA: Fix the NULL-ptr deref in rds_ib_get_mr
authorAvinash Repaka <avinash.repaka@oracle.com>
Wed, 25 Jul 2018 03:31:58 +0000 (20:31 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 26 Jul 2018 21:03:07 +0000 (14:03 -0700)
Registration of a memory region(MR) through FRMR/fastreg(unlike FMR)
needs a connection/qp. With a proxy qp, this dependency on connection
will be removed, but that needs more infrastructure patches, which is a
work in progress.

As an intermediate fix, the get_mr returns EOPNOTSUPP when connection
details are not populated. The MR registration through sendmsg() will
continue to work even with fast registration, since connection in this
case is formed upfront.

This patch fixes the following crash:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4244 Comm: syzkaller468044 Not tainted 4.16.0-rc6+ #361
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544
RSP: 0018:ffff8801b059f890 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801b07e1300 RCX: ffffffff8562d96e
RDX: 000000000000000d RSI: 0000000000000001 RDI: 0000000000000068
RBP: ffff8801b059f8b8 R08: ffffed0036274244 R09: ffff8801b13a1200
R10: 0000000000000004 R11: ffffed0036274243 R12: ffff8801b13a1200
R13: 0000000000000001 R14: ffff8801ca09fa9c R15: 0000000000000000
FS:  00007f4d050af700(0000) GS:ffff8801db300000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4d050aee78 CR3: 00000001b0d9b006 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __rds_rdma_map+0x710/0x1050 net/rds/rdma.c:271
 rds_get_mr_for_dest+0x1d4/0x2c0 net/rds/rdma.c:357
 rds_setsockopt+0x6cc/0x980 net/rds/af_rds.c:347
 SYSC_setsockopt net/socket.c:1849 [inline]
 SyS_setsockopt+0x189/0x360 net/socket.c:1828
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4456d9
RSP: 002b:00007f4d050aedb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 00000000004456d9
RDX: 0000000000000007 RSI: 0000000000000114 RDI: 0000000000000004
RBP: 00000000006dac38 R08: 00000000000000a0 R09: 0000000000000000
R10: 0000000020000380 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffbfb36d6f R14: 00007f4d050af9c0 R15: 0000000000000005
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8b bb 80 04 00 00
48
b8 00 00 00 00 00 fc ff df 49 8d 7f 68 48 89 fa 48 c1 ea 03 <80> 3c 02
00 0f
85 9c 01 00 00 4d 8b 7f 68 48 b8 00 00 00 00 00
RIP: rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544 RSP:
ffff8801b059f890
---[ end trace 7e1cea13b85473b0 ]---

Reported-by: syzbot+b51c77ef956678a65834@syzkaller.appspotmail.com
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/ib_frmr.c
net/rds/ib_mr.h
net/rds/ib_rdma.c
net/rds/rdma.c
net/rds/rds.h
net/rds/send.c

index 48332a6ed7383c51def7402dcfef1e581fa677f7..d152e48ea371a5c6c8a565f3d6745625d165e5b3 100644 (file)
@@ -344,6 +344,11 @@ struct rds_ib_mr *rds_ib_reg_frmr(struct rds_ib_device *rds_ibdev,
        struct rds_ib_frmr *frmr;
        int ret;
 
+       if (!ic) {
+               /* TODO: Add FRWR support for RDS_GET_MR using proxy qp*/
+               return ERR_PTR(-EOPNOTSUPP);
+       }
+
        do {
                if (ibmr)
                        rds_ib_free_frmr(ibmr, true);
index 0ea4ab017a8cc3f807931e1194cddb5048a82956..655f01d427fe5c7899f916987dd88022832c8bdc 100644 (file)
@@ -115,7 +115,8 @@ void rds_ib_get_mr_info(struct rds_ib_device *rds_ibdev,
                        struct rds_info_rdma_connection *iinfo);
 void rds_ib_destroy_mr_pool(struct rds_ib_mr_pool *);
 void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
-                   struct rds_sock *rs, u32 *key_ret);
+                   struct rds_sock *rs, u32 *key_ret,
+                   struct rds_connection *conn);
 void rds_ib_sync_mr(void *trans_private, int dir);
 void rds_ib_free_mr(void *trans_private, int invalidate);
 void rds_ib_flush_mrs(void);
index e678699268a253d1e65aea63e64ac30b44ac6dcd..2e49a40a5e113cef44543f112c4911a39501fc7e 100644 (file)
@@ -537,11 +537,12 @@ void rds_ib_flush_mrs(void)
 }
 
 void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
-                   struct rds_sock *rs, u32 *key_ret)
+                   struct rds_sock *rs, u32 *key_ret,
+                   struct rds_connection *conn)
 {
        struct rds_ib_device *rds_ibdev;
        struct rds_ib_mr *ibmr = NULL;
-       struct rds_ib_connection *ic = rs->rs_conn->c_transport_data;
+       struct rds_ib_connection *ic = NULL;
        int ret;
 
        rds_ibdev = rds_ib_get_device(rs->rs_bound_addr);
@@ -550,6 +551,9 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
                goto out;
        }
 
+       if (conn)
+               ic = conn->c_transport_data;
+
        if (!rds_ibdev->mr_8k_pool || !rds_ibdev->mr_1m_pool) {
                ret = -ENODEV;
                goto out;
@@ -559,17 +563,18 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
                ibmr = rds_ib_reg_frmr(rds_ibdev, ic, sg, nents, key_ret);
        else
                ibmr = rds_ib_reg_fmr(rds_ibdev, sg, nents, key_ret);
-       if (ibmr)
-               rds_ibdev = NULL;
-
- out:
-       if (!ibmr)
+       if (IS_ERR(ibmr)) {
+               ret = PTR_ERR(ibmr);
                pr_warn("RDS/IB: rds_ib_get_mr failed (errno=%d)\n", ret);
+       } else {
+               return ibmr;
+       }
 
+ out:
        if (rds_ibdev)
                rds_ib_dev_put(rds_ibdev);
 
-       return ibmr;
+       return ERR_PTR(ret);
 }
 
 void rds_ib_destroy_mr_pool(struct rds_ib_mr_pool *pool)
index 634cfcb7bba6833bde376706947c99f1cb103199..80920e47f2c79eb3ce0f95f6acc70e2126af1441 100644 (file)
@@ -170,7 +170,8 @@ static int rds_pin_pages(unsigned long user_addr, unsigned int nr_pages,
 }
 
 static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
-                               u64 *cookie_ret, struct rds_mr **mr_ret)
+                         u64 *cookie_ret, struct rds_mr **mr_ret,
+                         struct rds_conn_path *cp)
 {
        struct rds_mr *mr = NULL, *found;
        unsigned int nr_pages;
@@ -269,7 +270,8 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
         * Note that dma_map() implies that pending writes are
         * flushed to RAM, so no dma_sync is needed here. */
        trans_private = rs->rs_transport->get_mr(sg, nents, rs,
-                                                &mr->r_key);
+                                                &mr->r_key,
+                                                cp ? cp->cp_conn : NULL);
 
        if (IS_ERR(trans_private)) {
                for (i = 0 ; i < nents; i++)
@@ -330,7 +332,7 @@ int rds_get_mr(struct rds_sock *rs, char __user *optval, int optlen)
                           sizeof(struct rds_get_mr_args)))
                return -EFAULT;
 
-       return __rds_rdma_map(rs, &args, NULL, NULL);
+       return __rds_rdma_map(rs, &args, NULL, NULL, NULL);
 }
 
 int rds_get_mr_for_dest(struct rds_sock *rs, char __user *optval, int optlen)
@@ -354,7 +356,7 @@ int rds_get_mr_for_dest(struct rds_sock *rs, char __user *optval, int optlen)
        new_args.cookie_addr = args.cookie_addr;
        new_args.flags = args.flags;
 
-       return __rds_rdma_map(rs, &new_args, NULL, NULL);
+       return __rds_rdma_map(rs, &new_args, NULL, NULL, NULL);
 }
 
 /*
@@ -782,7 +784,8 @@ int rds_cmsg_rdma_map(struct rds_sock *rs, struct rds_message *rm,
            rm->m_rdma_cookie != 0)
                return -EINVAL;
 
-       return __rds_rdma_map(rs, CMSG_DATA(cmsg), &rm->m_rdma_cookie, &rm->rdma.op_rdma_mr);
+       return __rds_rdma_map(rs, CMSG_DATA(cmsg), &rm->m_rdma_cookie,
+                             &rm->rdma.op_rdma_mr, rm->m_conn_path);
 }
 
 /*
index f2272fb8cd456e7b5bb2495d5d02691803c3769f..60b3b787fbdb321ca3a280314c18443890ed78c3 100644 (file)
@@ -464,6 +464,8 @@ struct rds_message {
                        struct scatterlist      *op_sg;
                } data;
        };
+
+       struct rds_conn_path *m_conn_path;
 };
 
 /*
@@ -544,7 +546,8 @@ struct rds_transport {
                                        unsigned int avail);
        void (*exit)(void);
        void *(*get_mr)(struct scatterlist *sg, unsigned long nr_sg,
-                       struct rds_sock *rs, u32 *key_ret);
+                       struct rds_sock *rs, u32 *key_ret,
+                       struct rds_connection *conn);
        void (*sync_mr)(void *trans_private, int direction);
        void (*free_mr)(void *trans_private, int invalidate);
        void (*flush_mrs)(void);
index 94c7f74909be32f36344ab0b82cfad06c16b041f..59f17a2335f44c00b445d8571a19eb393b803c68 100644 (file)
@@ -1169,6 +1169,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
                rs->rs_conn = conn;
        }
 
+       if (conn->c_trans->t_mp_capable)
+               cpath = &conn->c_path[rds_send_mprds_hash(rs, conn)];
+       else
+               cpath = &conn->c_path[0];
+
+       rm->m_conn_path = cpath;
+
        /* Parse any control messages the user may have included. */
        ret = rds_cmsg_send(rs, rm, msg, &allocated_mr);
        if (ret) {
@@ -1192,11 +1199,6 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
                goto out;
        }
 
-       if (conn->c_trans->t_mp_capable)
-               cpath = &conn->c_path[rds_send_mprds_hash(rs, conn)];
-       else
-               cpath = &conn->c_path[0];
-
        if (rds_destroy_pending(conn)) {
                ret = -EAGAIN;
                goto out;