From: Sasha Levin <sashal@kernel.org>
To: kernel-lts@openela.org
Cc: Daniel Vacek <neelx@redhat.com>,
stable@vger.kernel.org, Mats Kronberg <kronberg@nsc.liu.se>,
Leon Romanovsky <leon@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14-openela 031/190] IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Date: Mon, 15 Apr 2024 06:49:21 -0400 [thread overview]
Message-ID: <20240415105208.3137874-32-sashal@kernel.org> (raw)
In-Reply-To: <20240415105208.3137874-1-sashal@kernel.org>
From: Daniel Vacek <neelx@redhat.com>
[ Upstream commit e6f57c6881916df39db7d95981a8ad2b9c3458d6 ]
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors")
Cc: stable@vger.kernel.org
Reported-by: Mats Kronberg <kronberg@nsc.liu.se>
Tested-by: Mats Kronberg <kronberg@nsc.liu.se>
Signed-off-by: Daniel Vacek <neelx@redhat.com>
Link: https://lore.kernel.org/r/20240201081009.1109442-1-neelx@redhat.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/sdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
index aeaed09360055..4067273fdd7b1 100644
--- a/drivers/infiniband/hw/hfi1/sdma.c
+++ b/drivers/infiniband/hw/hfi1/sdma.c
@@ -3212,7 +3212,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
{
int rval = 0;
- if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
+ if ((unlikely(tx->num_desc == tx->desc_limit))) {
rval = _extend_sdma_tx_descs(dd, tx);
if (rval) {
__sdma_txclean(dd, tx);
--
2.43.0
next prev parent reply other threads:[~2024-04-15 13:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240415105208.3137874-1-sashal@kernel.org>
2024-04-15 10:48 ` [PATCH 4.14-openela 003/190] ALSA: jack: Fix mutex call in snd_jack_report() Sasha Levin
2024-04-15 10:48 ` [PATCH 4.14-openela 004/190] pinctrl: amd: Detect internal GPIO0 debounce handling Sasha Levin
2024-04-15 10:48 ` [PATCH 4.14-openela 005/190] btrfs: fix extent buffer leak after tree mod log failure at split_node() Sasha Levin
2024-04-15 10:48 ` [PATCH 4.14-openela 007/190] IMA: allow/fix UML builds Sasha Levin
2024-04-15 10:48 ` [PATCH 4.14-openela 008/190] iio: addac: stx104: Fix race condition for stx104_write_raw() Sasha Levin
2024-04-15 10:48 ` [PATCH 4.14-openela 009/190] block: fix signed int overflow in Amiga partition support Sasha Levin
2024-04-15 13:58 ` Geert Uytterhoeven
2024-04-15 10:49 ` [PATCH 4.14-openela 012/190] selftests/ftrace: Add new test case which checks non unique symbol Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 013/190] iio: exynos-adc: request second interupt only when touchscreen mode is used Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 021/190] MIPS: KVM: Fix a build warning about variable set but not used Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 022/190] smb3: fix touch -h of symlink Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 023/190] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 025/190] arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 028/190] btrfs: do not allow non subvolume root targets for snapshot Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 029/190] smb: client: fix OOB in smbCalcSize() Sasha Levin
2024-04-15 10:49 ` Sasha Levin [this message]
2024-04-15 10:49 ` [PATCH 4.14-openela 032/190] pinctrl: amd: Only use special debounce behavior for GPIO 0 Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 033/190] PCI: qcom: Disable write access to read only registers for IP v2.3.3 Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 034/190] ASoC: cs42l51: fix driver to properly autoload with automatic module loading Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 044/190] PCI: keystone: Don't discard .remove() callback Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 045/190] PCI: keystone: Don't discard .probe() callback Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 046/190] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Sasha Levin
2024-04-15 10:49 ` [PATCH 4.14-openela 049/190] usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240415105208.3137874-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kernel-lts@openela.org \
--cc=kronberg@nsc.liu.se \
--cc=leon@kernel.org \
--cc=neelx@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox