From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Mark Zhang <markzhang@nvidia.com>,
Leon Romanovsky <leonro@nvidia.com>,
Jason Gunthorpe <jgg@nvidia.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 17/81] RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
Date: Tue, 8 Jul 2025 18:23:09 +0200 [thread overview]
Message-ID: <20250708162225.460340313@linuxfoundation.org> (raw)
In-Reply-To: <20250708162224.795155912@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Zhang <markzhang@nvidia.com>
[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ]
The obj_event may be loaded immediately after inserted, then if the
list_head is not initialized then we may get a poisonous pointer. This
fixes the crash below:
mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056
mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0
mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000
[0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] SMP
Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)
[last unloaded: mst_pci]
CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1
Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023
pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)
pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]
lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]
sp : ffff80001005bcf0
x29: ffff80001005bcf0 x28: 0000000000000001
x27: ffff244e0740a1d8 x26: ffff244e0740a1d0
x25: ffffda56beff5ae0 x24: ffffda56bf911618
x23: ffff244e0596a480 x22: ffff244e0596a480
x21: ffff244d8312ad90 x20: ffff244e0596a480
x19: fffffffffffffff0 x18: 0000000000000000
x17: 0000000000000000 x16: ffffda56be66d620
x15: 0000000000000000 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000040 x10: ffffda56bfcafb50
x9 : ffffda5655c25f2c x8 : 0000000000000010
x7 : 0000000000000000 x6 : ffff24545a2e24b8
x5 : 0000000000000003 x4 : ffff80001005bd28
x3 : 0000000000000000 x2 : 0000000000000000
x1 : ffff244e0596a480 x0 : ffff244d8312ad90
Call trace:
dispatch_event_fd+0x68/0x300 [mlx5_ib]
devx_event_notifier+0xcc/0x228 [mlx5_ib]
atomic_notifier_call_chain+0x58/0x80
mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]
atomic_notifier_call_chain+0x58/0x80
irq_int_handler+0x20/0x30 [mlx5_core]
__handle_irq_event_percpu+0x60/0x220
handle_irq_event_percpu+0x3c/0x90
handle_irq_event+0x58/0x158
handle_fasteoi_irq+0xfc/0x188
generic_handle_irq+0x34/0x48
...
Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/devx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
index 7013ce20549bd..cc126e62643a0 100644
--- a/drivers/infiniband/hw/mlx5/devx.c
+++ b/drivers/infiniband/hw/mlx5/devx.c
@@ -1914,6 +1914,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
/* Level1 is valid for future use, no need to free */
return -ENOMEM;
+ INIT_LIST_HEAD(&obj_event->obj_sub_list);
err = xa_insert(&event->object_ids,
key_level2,
obj_event,
@@ -1922,7 +1923,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
kfree(obj_event);
return err;
}
- INIT_LIST_HEAD(&obj_event->obj_sub_list);
}
return 0;
--
2.39.5
next prev parent reply other threads:[~2025-07-08 16:27 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-08 16:22 [PATCH 6.1 00/81] 6.1.144-rc1 review Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 01/81] rtc: cmos: use spin_lock_irqsave in cmos_interrupt Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 02/81] s390/pci: Do not try re-enabling load/store if device is disabled Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 03/81] vsock/vmci: Clear the vmci transport packet properly when initializing it Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 04/81] mmc: sdhci: Add a helper function for dump register in dynamic debug mode Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 05/81] Revert "mmc: sdhci: Disable SD card clock before changing parameters" Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 06/81] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 07/81] Bluetooth: hci_sync: revert some mesh modifications Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 08/81] Bluetooth: MGMT: set_mesh: update LE scan interval and window Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 09/81] Bluetooth: MGMT: mesh_send: check instances prior disabling advertising Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 10/81] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 11/81] usb: typec: altmodes/displayport: do not index invalid pin_assignments Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 12/81] mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 13/81] mtk-sd: Prevent memory corruption from DMA map failure Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 14/81] mtk-sd: reset host->mrq on prepare_data() error Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 15/81] arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 16/81] platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Greg Kroah-Hartman
2025-07-08 16:23 ` Greg Kroah-Hartman [this message]
2025-07-08 16:23 ` [PATCH 6.1 18/81] nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 19/81] NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 20/81] scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 21/81] scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 22/81] scsi: ufs: core: Fix spelling of a sysfs attribute name Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 23/81] RDMA/mlx5: Fix CC counters query for MPV Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 24/81] platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 25/81] Bluetooth: Prevent unintended pause by checking if advertising is active Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 26/81] btrfs: fix missing error handling when searching for inode refs during log replay Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 27/81] btrfs: fix iteration of extrefs " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 28/81] ethernet: atl1: Add missing DMA mapping error checks and count errors Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 29/81] drm/exynos: fimd: Guard display clock control with runtime PM calls Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 30/81] spi: spi-fsl-dspi: Clear completion counter before initiating transfer Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 31/81] drm/i915/selftests: Change mock_request() to return error pointers Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 32/81] platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 33/81] platform/mellanox: mlxreg-lc: Fix logic error in power state check Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 34/81] drm/i915/gt: Fix timeline left held on VMA alloc error Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 35/81] drm/i915/gsc: mei interrupt top half should be in irq disabled context Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 36/81] igc: disable L1.2 PCI-E link substate to avoid performance issue Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 37/81] lib: test_objagg: Set error message in check_expect_hints_stats() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 38/81] amd-xgbe: align CL37 AN sequence as per databook Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 39/81] enic: fix incorrect MTU comparison in enic_change_mtu() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 40/81] rose: fix dangling neighbour pointers in rose_rt_device_down() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 41/81] nui: Fix dma_mapping_error() check Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 42/81] net/sched: Always pass notifications when child class becomes empty Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 43/81] smb: client: fix race condition in negotiate timeout by using more precise timing Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 44/81] drm/msm: Fix a fence leak in submit error path Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 45/81] drm/msm: Fix another leak in the " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 46/81] ALSA: sb: Dont allow changing the DMA mode during operations Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 47/81] ALSA: sb: Force to disable DMAs once when DMA mode is changed Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 48/81] ata: libata-acpi: Do not assume 40 wire cable if no devices are enabled Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 49/81] ata: pata_cs5536: fix build on 32-bit UML Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 50/81] powerpc: Fix struct termio related ioctl macros Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 51/81] ASoC: amd: yc: update quirk data for HP Victus Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 52/81] scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 53/81] aoe: defer rexmit timer downdev work to workqueue Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 54/81] wifi: mac80211: drop invalid source address OCB frames Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 55/81] wifi: ath6kl: remove WARN on bad firmware input Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 56/81] ACPICA: Refuse to evaluate a method if arguments are missing Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 57/81] mtd: spinand: fix memory leak of ECC engine conf Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 58/81] rcu: Return early if callback is not specified Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 59/81] virtio-net: ensure the received length does not exceed allocated size Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 60/81] s390/pci: Fix stale function handles in error handling Greg Kroah-Hartman
2025-07-10 8:14 ` Niklas Schnelle
2025-07-10 13:16 ` Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 61/81] drm/v3d: Disable interrupts before resetting the GPU Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 62/81] NFSv4/flexfiles: Fix handling of NFS level errors in I/O Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 63/81] btrfs: use btrfs_record_snapshot_destroy() during rmdir Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 64/81] dpaa2-eth: fix xdp_rxq_info leak Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 65/81] platform/x86: think-lmi: Fix class device unregistration Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 66/81] platform/x86: dell-wmi-sysman: " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 67/81] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 68/81] xhci: dbctty: disable ECHO flag by default Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 69/81] xhci: dbc: Flush queued requests before stopping dbc Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 70/81] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 71/81] usb: cdnsp: do not disable slot for disabled slot Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 72/81] dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 73/81] i2c/designware: Fix an initialization issue Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 74/81] Logitech C-270 even more broken Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 75/81] platform/x86: think-lmi: Create ksets consecutively Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 76/81] platform/x86: think-lmi: Fix kobject cleanup Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 77/81] usb: typec: displayport: Fix potential deadlock Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 78/81] x86/bugs: Rename MDS machinery to something more generic Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 79/81] x86/bugs: Add a Transient Scheduler Attacks mitigation Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 80/81] KVM: SVM: Advertise TSA CPUID bits to guests Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 81/81] x86/process: Move the buffer clearing before MONITOR Greg Kroah-Hartman
2025-07-08 16:35 ` Andrew Cooper
2025-07-08 16:48 ` Greg Kroah-Hartman
2025-07-08 16:49 ` Borislav Petkov
2025-07-08 16:52 ` Andrew Cooper
2025-07-09 22:06 ` [PATCH 6.1 00/81] 6.1.144-rc1 review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250708162225.460340313@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=leonro@nvidia.com \
--cc=markzhang@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.