From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yonatan Cohen <yonatanc@mellanox.com>,
Moni Shoua <monis@mellanox.com>,
Leon Romanovsky <leon@kernel.org>,
Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.8 51/67] IB/rxe: Fix kernel panic in UDP tunnel with GRO and RX checksum
Date: Thu, 24 Nov 2016 16:27:45 +0100 [thread overview]
Message-ID: <20161124145500.024079940@linuxfoundation.org> (raw)
In-Reply-To: <20161124145457.061710350@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonatan Cohen <yonatanc@mellanox.com>
commit 1454ca3a97e147bb91e98b087446c39cf6692a48 upstream.
Missing initialization of udp_tunnel_sock_cfg causes to following
kernel panic, while kernel tries to execute gro_receive().
While being there, we converted udp_port_cfg to use the same
initialization scheme as udp_tunnel_sock_cfg.
------------[ cut here ]------------
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel paging request at ffffffffa0588c50
IP: [<ffffffffa0588c50>] __this_module+0x50/0xffffffffffff8400 [ib_rxe]
PGD 1c09067 PUD 1c0a063 PMD bb394067 PTE 80000000ad5e8163
Oops: 0011 [#1] SMP
Modules linked in: ib_rxe ip6_udp_tunnel udp_tunnel
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.7.0-rc3+ #2
Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
task: ffff880235e4e680 ti: ffff880235e68000 task.ti: ffff880235e68000
RIP: 0010:[<ffffffffa0588c50>]
[<ffffffffa0588c50>] __this_module+0x50/0xffffffffffff8400 [ib_rxe]
RSP: 0018:ffff880237343c80 EFLAGS: 00010282
RAX: 00000000dffe482d RBX: ffff8800ae330900 RCX: 000000002001b712
RDX: ffff8800ae330900 RSI: ffff8800ae102578 RDI: ffff880235589c00
RBP: ffff880237343cb0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800ae33e262
R13: ffff880235589c00 R14: 0000000000000014 R15: ffff8800ae102578
FS: 0000000000000000(0000) GS:ffff880237340000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0588c50 CR3: 0000000001c06000 CR4: 00000000000006e0
Stack:
ffffffff8160860e ffff8800ae330900 ffff8800ae102578 0000000000000014
000000000000004e ffff8800ae102578 ffff880237343ce0 ffffffff816088fb
0000000000000000 ffff8800ae330900 0000000000000000 00000000ffad0000
Call Trace:
<IRQ>
[<ffffffff8160860e>] ? udp_gro_receive+0xde/0x130
[<ffffffff816088fb>] udp4_gro_receive+0x10b/0x2d0
[<ffffffff81611373>] inet_gro_receive+0x1d3/0x270
[<ffffffff81594e29>] dev_gro_receive+0x269/0x3b0
[<ffffffff81595188>] napi_gro_receive+0x38/0x120
[<ffffffffa011caee>] mlx5e_handle_rx_cqe+0x27e/0x340 [mlx5_core]
[<ffffffffa011d076>] mlx5e_poll_rx_cq+0x66/0x6d0 [mlx5_core]
[<ffffffffa011d7ae>] mlx5e_napi_poll+0x8e/0x400 [mlx5_core]
[<ffffffff815949a0>] net_rx_action+0x160/0x380
[<ffffffff816a9197>] __do_softirq+0xd7/0x2c5
[<ffffffff81085c35>] irq_exit+0xf5/0x100
[<ffffffff816a8f16>] do_IRQ+0x56/0xd0
[<ffffffff816a6dcc>] common_interrupt+0x8c/0x8c
<EOI>
[<ffffffff81061f96>] ? native_safe_halt+0x6/0x10
[<ffffffff81037ade>] default_idle+0x1e/0xd0
[<ffffffff8103828f>] arch_cpu_idle+0xf/0x20
[<ffffffff810c37dc>] default_idle_call+0x3c/0x50
[<ffffffff810c3b13>] cpu_startup_entry+0x323/0x3c0
[<ffffffff81050d8c>] start_secondary+0x15c/0x1a0
RIP [<ffffffffa0588c50>] __this_module+0x50/0xffffffffffff8400 [ib_rxe]
RSP <ffff880237343c80>
CR2: ffffffffa0588c50
---[ end trace 489ee31fa7614ac5 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt
------------[ cut here ]------------
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Yonatan Cohen <yonatanc@mellanox.com>
Reviewed-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_net.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -243,10 +243,8 @@ static struct socket *rxe_setup_udp_tunn
{
int err;
struct socket *sock;
- struct udp_port_cfg udp_cfg;
- struct udp_tunnel_sock_cfg tnl_cfg;
-
- memset(&udp_cfg, 0, sizeof(udp_cfg));
+ struct udp_port_cfg udp_cfg = {0};
+ struct udp_tunnel_sock_cfg tnl_cfg = {0};
if (ipv6) {
udp_cfg.family = AF_INET6;
@@ -264,10 +262,8 @@ static struct socket *rxe_setup_udp_tunn
return ERR_PTR(err);
}
- tnl_cfg.sk_user_data = NULL;
tnl_cfg.encap_type = 1;
tnl_cfg.encap_rcv = rxe_udp_encap_recv;
- tnl_cfg.encap_destroy = NULL;
/* Setup UDP tunnel */
setup_udp_tunnel_sock(net, sock, &tnl_cfg);
next prev parent reply other threads:[~2016-11-24 15:27 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-24 15:26 [PATCH 4.8 00/67] 4.8.11-stable review Greg Kroah-Hartman
2016-11-24 15:26 ` [PATCH 4.8 01/67] x86/cpu/AMD: Fix cpu_llc_id for AMD Fam17h systems Greg Kroah-Hartman
2016-11-24 15:26 ` [PATCH 4.8 04/67] arm64: KVM: pmu: Fix AArch32 cycle counter access Greg Kroah-Hartman
2016-11-24 15:26 ` [PATCH 4.8 05/67] KVM: arm64: Fix the issues when guest PMCCFILTR is configured Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 06/67] ftrace: Ignore FTRACE_FL_DISABLED while walking dyn_ftrace records Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 07/67] ftrace: Add more checks for FTRACE_FL_DISABLED in processing ip records Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 08/67] genirq: Use irq type from irqdata instead of irqdesc Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 09/67] fuse: fix fuse_write_end() if zero bytes were copied Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 10/67] IB/rdmavt: rdmavt can handle non aligned page maps Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 11/67] IB/hfi1: Fix rnr_timer addition Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 12/67] mfd: intel-lpss: Do not put device in reset state on suspend Greg Kroah-Hartman
2016-11-24 15:30 ` Shaikh, Azhar
2016-11-24 15:27 ` [PATCH 4.8 13/67] mfd: stmpe: Fix RESET regression on STMPE2401 Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 14/67] can: bcm: fix warning in bcm_connect/proc_register Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 15/67] gpio: do not double-check direction on sleeping chips Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 16/67] ALSA: usb-audio: Fix use-after-free of usb_device at disconnect Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 17/67] ALSA: hda - add a new condition to check if it is thinkpad Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 18/67] ALSA: hda - Fix mic regression by ASRock mobo fixup Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 19/67] i2c: mux: fix up dependencies Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 20/67] i2c: i2c-mux-pca954x: fix deselect enabling for device-tree Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 21/67] Disable the __builtin_return_address() warning globally after all Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 23/67] scripts/has-stack-protector: add -fno-PIE Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 24/67] x86/kexec: " Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 25/67] kbuild: Steal gccs pie from the very beginning Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 26/67] ext4: sanity check the block and cluster size at mount time Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 27/67] ARM: dts: imx53-qsb: Fix regulator constraints Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 29/67] powerpc/64: Fix setting of AIL in hypervisor mode Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 33/67] virtio-net: drop legacy features in virtio 1 mode Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 34/67] clk: mmp: pxa910: fix return value check in pxa910_clk_init() Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 35/67] clk: mmp: pxa168: fix return value check in pxa168_clk_init() Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 36/67] clk: mmp: mmp2: fix return value check in mmp2_clk_init() Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 37/67] clk: imx: fix integer overflow in AV PLL round rate Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 38/67] rtc: omap: Fix selecting external osc Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 39/67] iwlwifi: pcie: fix SPLC structure parsing Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 40/67] iwlwifi: pcie: mark command queue lock with separate lockdep class Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 41/67] iwlwifi: mvm: fix netdetect starting/stopping for unified images Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 42/67] iwlwifi: mvm: fix d3_test with unified D0/D3 images Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 43/67] iwlwifi: mvm: wake the wait queue when the RX sync counter is zero Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 44/67] mfd: core: Fix device reference leak in mfd_clone_cell Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 45/67] sunrpc: svc_age_temp_xprts_now should not call setsockopt non-tcp transports Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 46/67] uwb: fix device reference leaks Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 47/67] PM / sleep: fix device reference leak in test_suspend Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 48/67] PM / sleep: dont suspend parent when async child suspend_{noirq, late} fails Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 49/67] perf hists: Fix column length on --hierarchy Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 50/67] IB/rxe: Update qp state for user query Greg Kroah-Hartman
2016-11-24 15:27 ` Greg Kroah-Hartman [this message]
2016-11-24 15:27 ` [PATCH 4.8 52/67] IB/rxe: Fix handling of erroneous WR Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 53/67] IB/rxe: Clear queue buffer when modifying QP to reset Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 54/67] IB/mlx4: Check gid_index return value Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 55/67] IB/mlx4: Fix create CQ error flow Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 56/67] IB/mlx5: Validate requested RQT size Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 57/67] IB/mlx5: Use cache line size to select CQE stride Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 58/67] IB/mlx5: Fix memory leak in query device Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 59/67] IB/mlx5: Fix fatal error dispatching Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 60/67] IB/mlx5: Fix NULL pointer dereference on debug print Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 61/67] IB/core: Avoid unsigned int overflow in sg_alloc_table Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 62/67] IB/hfi1: Remove incorrect IS_ERR check Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 63/67] IB/uverbs: Fix leak of XRC target QPs Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 64/67] IB/cm: Mark stale CM ids whenever the mad agent was unregistered Greg Kroah-Hartman
2016-11-24 15:27 ` [PATCH 4.8 65/67] netfilter: nft_dynset: fix element timeout for HZ != 1000 Greg Kroah-Hartman
2016-11-24 15:28 ` [PATCH 4.8 66/67] gpio: pca953x: Move memcpy into mutex lock for set multiple Greg Kroah-Hartman
2016-11-24 15:28 ` [PATCH 4.8 67/67] gpio: pca953x: Fix corruption of other gpios in set_multiple Greg Kroah-Hartman
2016-11-25 0:48 ` [PATCH 4.8 00/67] 4.8.11-stable review Guenter Roeck
2016-11-25 9:43 ` Greg Kroah-Hartman
[not found] ` <5837ca28.52301c0a.d82bc.07dd@mx.google.com>
2016-11-25 9:46 ` Greg Kroah-Hartman
[not found] ` <m2mvgjtr7m.fsf@baylibre.com>
2016-11-28 19:22 ` Javier Martinez Canillas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161124145500.024079940@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dledford@redhat.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=monis@mellanox.com \
--cc=stable@vger.kernel.org \
--cc=yonatanc@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).