From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yonatan Cohen <yonatanc@mellanox.com>,
Leon Romanovsky <leonro@mellanox.com>,
Jason Gunthorpe <jgg@mellanox.com>
Subject: [PATCH 5.4 43/66] IB/umad: Fix kernel crash while unloading ib_umad
Date: Tue, 18 Feb 2020 20:55:10 +0100 [thread overview]
Message-ID: <20200218190431.979466384@linuxfoundation.org> (raw)
In-Reply-To: <20200218190428.035153861@linuxfoundation.org>
From: Yonatan Cohen <yonatanc@mellanox.com>
commit 9ea04d0df6e6541c6736b43bff45f1e54875a1db upstream.
When disassociating a device from umad we must ensure that the sysfs
access is prevented before blocking the fops, otherwise assumptions in
syfs don't hold:
CPU0 CPU1
ib_umad_kill_port() ibdev_show()
port->ib_dev = NULL
dev_name(port->ib_dev)
The prior patch made an error in moving the device_destroy(), it should
have been split into device_del() (above) and put_device() (below). At
this point we already have the split, so move the device_del() back to its
original place.
kernel stack
PF: error_code(0x0000) - not-present page
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
RIP: 0010:ibdev_show+0x18/0x50 [ib_umad]
RSP: 0018:ffffc9000097fe40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa0441120 RCX: ffff8881df514000
RDX: ffff8881df514000 RSI: ffffffffa0441120 RDI: ffff8881df1e8870
RBP: ffffffff81caf000 R08: ffff8881df1e8870 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000003 R12: ffff88822f550b40
R13: 0000000000000001 R14: ffffc9000097ff08 R15: ffff8882238bad58
FS: 00007f1437ff3740(0000) GS:ffff888236940000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000004e8 CR3: 00000001e0dfc001 CR4: 00000000001606e0
Call Trace:
dev_attr_show+0x15/0x50
sysfs_kf_seq_show+0xb8/0x1a0
seq_read+0x12d/0x350
vfs_read+0x89/0x140
ksys_read+0x55/0xd0
do_syscall_64+0x55/0x1b0
entry_SYSCALL_64_after_hwframe+0x44/0xa9:
Fixes: cf7ad3030271 ("IB/umad: Avoid destroying device while it is accessed")
Link: https://lore.kernel.org/r/20200212072635.682689-9-leon@kernel.org
Signed-off-by: Yonatan Cohen <yonatanc@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/user_mad.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -1312,6 +1312,9 @@ static void ib_umad_kill_port(struct ib_
struct ib_umad_file *file;
int id;
+ cdev_device_del(&port->sm_cdev, &port->sm_dev);
+ cdev_device_del(&port->cdev, &port->dev);
+
mutex_lock(&port->file_mutex);
/* Mark ib_dev NULL and block ioctl or other file ops to progress
@@ -1331,8 +1334,6 @@ static void ib_umad_kill_port(struct ib_
mutex_unlock(&port->file_mutex);
- cdev_device_del(&port->sm_cdev, &port->sm_dev);
- cdev_device_del(&port->cdev, &port->dev);
ida_free(&umad_ida, port->dev_num);
/* balances device_initialize() */
next prev parent reply other threads:[~2020-02-18 20:07 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 19:54 [PATCH 5.4 00/66] 5.4.21-stable review Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 01/66] Input: synaptics - switch T470s to RMI4 by default Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 02/66] Input: synaptics - enable SMBus on ThinkPad L470 Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 03/66] Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 04/66] ALSA: usb-audio: Fix UAC2/3 effect unit parsing Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 05/66] ALSA: hda/realtek - Add more codec supported Headset Button Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 06/66] ALSA: hda/realtek - Fix silent output on MSI-GL73 Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 07/66] ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 08/66] ACPI: EC: Fix flushing of pending work Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 09/66] ACPI: PM: s2idle: Avoid possible race related to the EC GPE Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 10/66] ACPICA: Introduce acpi_any_gpe_status_set() Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 11/66] ACPI: PM: s2idle: Prevent spurious SCIs from waking up the system Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 12/66] ALSA: usb-audio: sound: usb: usb true/false for bool return type Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 13/66] ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 14/66] ext4: dont assume that mmp_nodename/bdevname have NUL Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 15/66] ext4: fix support for inode sizes > 1024 bytes Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 16/66] ext4: fix checksum errors with indexed dirs Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 17/66] ext4: add cond_resched() to ext4_protect_reserved_inode Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 18/66] ext4: improve explanation of a mount failure caused by a misconfigured kernel Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 19/66] Btrfs: fix race between using extent maps and merging them Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 20/66] btrfs: ref-verify: fix memory leaks Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 21/66] btrfs: print message when tree-log replay starts Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 22/66] btrfs: log message when rw remount is attempted with unclean tree-log Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 23/66] ARM: npcm: Bring back GPIOLIB support Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 24/66] gpio: xilinx: Fix bug where the wrong GPIO register is written to Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 25/66] arm64: ssbs: Fix context-switch when SSBS is present on all CPUs Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 26/66] xprtrdma: Fix DMA scatter-gather list mapping imbalance Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 27/66] cifs: make sure we do not overflow the max EA buffer size Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 28/66] EDAC/sysfs: Remove csrow objects on errors Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 29/66] EDAC/mc: Fix use-after-free and memleaks during device removal Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 30/66] KVM: nVMX: Use correct root level for nested EPT shadow page tables Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 31/66] perf/x86/amd: Add missing L2 misses event spec to AMD Family 17hs event map Greg Kroah-Hartman
2020-02-18 19:54 ` [PATCH 5.4 32/66] s390/pkey: fix missing length of protected key on return Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 33/66] s390/uv: Fix handling of length extensions Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 34/66] drm/vgem: Close use-after-free race in vgem_gem_create Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 35/66] drm/panfrost: Make sure the shrinker does not reclaim referenced BOs Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 36/66] bus: moxtet: fix potential stack buffer overflow Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 37/66] nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 38/66] drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds write Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 39/66] IB/mlx5: Return failure when rts2rts_qp_counters_set_id is not supported Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 40/66] IB/hfi1: Acquire lock to release TID entries when user file is closed Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 41/66] IB/hfi1: Close window for pq and request coliding Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 42/66] IB/rdmavt: Reset all QPs when the device is shut down Greg Kroah-Hartman
2020-02-18 19:55 ` Greg Kroah-Hartman [this message]
2020-02-18 19:55 ` [PATCH 5.4 44/66] RDMA/core: Fix invalid memory access in spec_filter_size Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 45/66] RDMA/iw_cxgb4: initiate CLOSE when entering TERM Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 46/66] RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 47/66] RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 48/66] RDMA/core: Fix protection fault in get_pkey_idx_qp_list Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 49/66] s390/time: Fix clk type in get_tod_clock Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 50/66] sched/uclamp: Reject negative values in cpu_uclamp_write() Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 51/66] spmi: pmic-arb: Set lockdep class for hierarchical irq domains Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 52/66] perf/x86/intel: Fix inaccurate period in context switch for auto-reload Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 53/66] hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 54/66] mac80211: fix quiet mode activation in action frames Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 55/66] cifs: fix mount option display for sec=krb5i Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 56/66] arm64: dts: fast models: Fix FVP PCI interrupt-map property Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 57/66] KVM: x86: Mask off reserved bit from #DB exception payload Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 58/66] perf stat: Dont report a null stalled cycles per insn metric Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 59/66] NFSv4.1 make cachethis=no for writes Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 60/66] Revert "drm/sun4i: drv: Allow framebuffer modifiers in mode config" Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 61/66] jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 62/66] jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 63/66] ext4: choose hardlimit when softlimit is larger than hardlimit in ext4_statfs_project() Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 64/66] KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 65/66] gpio: add gpiod_toggle_active_low() Greg Kroah-Hartman
2020-02-18 19:55 ` [PATCH 5.4 66/66] mmc: core: Rework wp-gpio handling Greg Kroah-Hartman
2020-02-18 23:34 ` [PATCH 5.4 00/66] 5.4.21-stable review shuah
2020-02-19 3:34 ` Naresh Kamboju
2020-02-19 11:06 ` Jon Hunter
2020-02-19 18:09 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200218190431.979466384@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jgg@mellanox.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yonatanc@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).