Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
RDMA/restrack: Increment CQ restrack object before subtracting it
There is a code path that has call to destroy CQ prior to successful CQ creation. It causes to unbalanced number of calls to rdma_restrack_add and rdma_restrack_del. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 293 at lib/refcount.c:187 refcount_sub_and_test+0x142/0x1b0 Modules linked in: CPU: 0 PID: 293 Comm: syzkaller788700 Tainted: G W 4.16.0-rc1+ torvalds#95 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 RIP: 0010:refcount_sub_and_test+0x142/0x1b0 RSP: 0018:ffff88005fc0f600 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000006 RSI: 1ffff1000bf81e78 RDI: 0000000000000000 RBP: ffff880063601ac0 R08: 1ffff1000bf81e4a R09: ffff8800644b6748 R10: 0000000000000006 R11: 0000000000000003 R12: 1ffff1000bf81ec1 R13: 0000000000000001 R14: 00000000ffffffff R15: dffffc0000000000 FS: 00007f8e5fbeb700(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000fb0 CR3: 0000000003616000 CR4: 00000000000006b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? refcount_inc+0x70/0x70 ? kfree+0x134/0x540 mlx5_core_destroy_cq+0x1f8/0x260 ? mlx5_core_modify_cq_moderation+0x150/0x150 ? rdma_restrack_add+0x6a0/0x6a0 mlx5_ib_destroy_cq+0xd7/0x2a0 ib_destroy_cq+0xae/0x110 uverbs_free_cq+0x78/0x160 remove_commit_idr_uobject+0x6d/0x110 uverbs_cleanup_ucontext+0x2f0/0x730 ? sched_clock_cpu+0x18/0x200 ? uverbs_close_fd+0x1c0/0x1c0 ib_uverbs_cleanup_ucontext.constprop.3+0x52/0x120 ib_uverbs_close+0xf2/0x570 ? ib_uverbs_remove_one+0xb50/0xb50 ? ib_uverbs_remove_one+0xb50/0xb50 __fput+0x2cd/0x8d0 task_work_run+0xec/0x1d0 do_exit+0x6a1/0x1520 ? exit_notify+0x9f0/0x9f0 ? sched_clock_cpu+0x18/0x200 ? _raw_spin_unlock_irq+0x29/0x40 ? _raw_spin_unlock_irq+0x29/0x40 ? _raw_spin_unlock_irq+0x29/0x40 ? time_hardirqs_on+0x27/0x670 ? do_raw_spin_trylock+0x100/0x100 do_group_exit+0xe8/0x380 get_signal+0x680/0x1b70 do_signal+0xa1/0x1a00 ? time_hardirqs_on+0x27/0x670 ? do_raw_spin_trylock+0x100/0x100 ? lock_acquire+0x19d/0x440 ? finish_task_switch+0x194/0x850 ? _raw_spin_unlock_irq+0x29/0x40 ? setup_sigcontext+0x820/0x820 ? finish_task_switch+0x214/0x850 ? prandom_u32_state+0xe/0x180 ? rcu_read_unlock+0x80/0x80 ? exit_to_usermode_loop+0x8e/0x140 exit_to_usermode_loop+0xed/0x140 do_syscall_64+0x4f6/0x740 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x433689 RSP: 002b:00007f8e5fbeada8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00000000006d183c RCX: 0000000000433689 RDX: 0000000000433689 RSI: 0000000000000001 RDI: 00000000006d183c RBP: 00000000006d1838 R08: 0000000000000000 R09: 0000000000000000 R10: 00007f8e5fbeb700 R11: 0000000000000246 R12: 0030736272657675 R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000001 Code: 51 9f 75 03 80 fb 01 77 70 e8 db 1e 80 ff 83 e3 01 75 1a e8 d1 1e 80 ff 48 c7 c7 e0 67 16 83 c6 05 2f 9f 75 03 01 e8 de 6e 5b ff <0f> ff 31 db eb 91 89 44 24 04 e8 af 1e 80 ff 8b 44 24 04 83 f8 ---[ end trace c0ac0e8431263d56 ]--- Cc: syzkaller <syzkaller@googlegroups.com> Fixes: 08f294a ("RDMA/core: Add resource tracking for create and destroy CQs") Reported-by: Noa Osherovich <noaos@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
- Loading branch information
