IB/core: Fix NULL pointer dereference when bind QP to counter
If QP is not visible to the pid, then we try to decrease its reference
count and return from the function before the QP pointer is
initialized. This lead to NULL pointer dereference.
Fix it by pass directly the res to the rdma_restract_put as arg instead of
&qp->res.
This fixes below call trace:
[ 5845.110329] BUG: kernel NULL pointer dereference, address:
00000000000000dc
[ 5845.120482] Oops: 0002 [#1] SMP PTI
[ 5845.129119] RIP: 0010:rdma_restrack_put+0x5/0x30 [ib_core]
[ 5845.169450] Call Trace:
[ 5845.170544] rdma_counter_get_qp+0x5c/0x70 [ib_core]
[ 5845.172074] rdma_counter_bind_qpn_alloc+0x6f/0x1a0 [ib_core]
[ 5845.173731] nldev_stat_set_doit+0x314/0x330 [ib_core]
[ 5845.175279] rdma_nl_rcv_msg+0xeb/0x1d0 [ib_core]
[ 5845.176772] ? __kmalloc_node_track_caller+0x20b/0x2b0
[ 5845.178321] rdma_nl_rcv+0xcb/0x120 [ib_core]
[ 5845.179753] netlink_unicast+0x179/0x220
[ 5845.181066] netlink_sendmsg+0x2d8/0x3d0
[ 5845.182338] sock_sendmsg+0x30/0x40
[ 5845.183544] __sys_sendto+0xdc/0x160
[ 5845.184832] ? syscall_trace_enter+0x1f8/0x2e0
[ 5845.186209] ? __audit_syscall_exit+0x1d9/0x280
[ 5845.187584] __x64_sys_sendto+0x24/0x30
[ 5845.188867] do_syscall_64+0x48/0x120
[ 5845.190097] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 1bd8e0a9d0fd1 ("RDMA/counter: Allow manual mode configuration support")
Signed-off-by: Ido Kalir <idok@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Link: https://lore.kernel.org/r/20190815083834.9245-2-leon@kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>
git.samba.org / sfrench / cifs-2.6.git / commit