releases/4.14.53/ib-hfi1-fix-fault-injection-init-exit-issues.patch

   1 From 8c79d8223bb11b2f005695a32ddd3985de97727c Mon Sep 17 00:00:00 2001
   2 From: Mike Marciniszyn <mike.marciniszyn@intel.com>
   3 Date: Wed, 2 May 2018 06:42:44 -0700
   4 Subject: IB/hfi1: Fix fault injection init/exit issues
   5
   6 From: Mike Marciniszyn <mike.marciniszyn@intel.com>
   7
   8 commit 8c79d8223bb11b2f005695a32ddd3985de97727c upstream.
   9
  10 There are config dependent code paths that expose panics in unload
  11 paths both in this file and in debugfs_remove_recursive() because
  12 CONFIG_FAULT_INJECTION and CONFIG_FAULT_INJECTION_DEBUG_FS can be
  13 set independently.
  14
  15 Having CONFIG_FAULT_INJECTION set and CONFIG_FAULT_INJECTION_DEBUG_FS
  16 reset causes fault_create_debugfs_attr() to return an error.
  17
  18 The debugfs.c routines tolerate failures, but the module unload panics
  19 dereferencing a NULL in the two exit routines.  If that is fixed, the
  20 dir passed to debugfs_remove_recursive comes from a memory location
  21 that was freed and potentially reused causing a segfault or corrupting
  22 memory.
  23
  24 Here is an example of the NULL deref panic:
  25
  26 [66866.286829] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
  27 [66866.295602] IP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
  28 [66866.301138] PGD 858496067 P4D 858496067 PUD 8433a7067 PMD 0
  29 [66866.307452] Oops: 0000 [#1] SMP
  30 [66866.310953] Modules linked in: hfi1(-) rdmavt rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm iw_cm ib_cm ib_core rpcsec_gss_krb5 nfsv4 dns_resolver nfsv3 nfs fscache sb_edac x86_pkg_temp_thermal intel_powerclamp vfat fat coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel iTCO_wdt iTCO_vendor_support crypto_simd mei_me glue_helper cryptd mxm_wmi ipmi_si pcspkr lpc_ich sg mei ioatdma ipmi_devintf i2c_i801 mfd_core shpchp ipmi_msghandler wmi acpi_power_meter acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt igb fb_sys_fops ttm ahci ptp crc32c_intel libahci pps_core drm dca libata i2c_algo_bit i2c_core [last unloaded: opa_vnic]
  31 [66866.385551] CPU: 8 PID: 7470 Comm: rmmod Not tainted 4.14.0-mam-tid-rdma #2
  32 [66866.393317] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
  33 [66866.405252] task: ffff88084f28c380 task.stack: ffffc90008454000
  34 [66866.411866] RIP: 0010:hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
  35 [66866.417984] RSP: 0018:ffffc90008457da0 EFLAGS: 00010202
  36 [66866.423812] RAX: 0000000000000000 RBX: ffff880857de0000 RCX: 0000000180040001
  37 [66866.431773] RDX: 0000000180040002 RSI: ffffea0021088200 RDI: 0000000040000000
  38 [66866.439734] RBP: ffffc90008457da8 R08: ffff88084220e000 R09: 0000000180040001
  39 [66866.447696] R10: 000000004220e001 R11: ffff88084220e000 R12: ffff88085a31c000
  40 [66866.455657] R13: ffffffffa07c9820 R14: ffffffffa07c9890 R15: ffff881059d78100
  41 [66866.463618] FS:  00007f6876047740(0000) GS:ffff88085f800000(0000) knlGS:0000000000000000
  42 [66866.472644] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  43 [66866.479053] CR2: 0000000000000088 CR3: 0000000856357006 CR4: 00000000001606e0
  44 [66866.487013] Call Trace:
  45 [66866.489747]  remove_one+0x1f/0x220 [hfi1]
  46 [66866.494221]  pci_device_remove+0x39/0xc0
  47 [66866.498596]  device_release_driver_internal+0x141/0x210
  48 [66866.504424]  driver_detach+0x3f/0x80
  49 [66866.508409]  bus_remove_driver+0x55/0xd0
  50 [66866.512784]  driver_unregister+0x2c/0x50
  51 [66866.517164]  pci_unregister_driver+0x2a/0xa0
  52 [66866.521934]  hfi1_mod_cleanup+0x10/0xaa2 [hfi1]
  53 [66866.526988]  SyS_delete_module+0x171/0x250
  54 [66866.531558]  do_syscall_64+0x67/0x1b0
  55 [66866.535644]  entry_SYSCALL64_slow_path+0x25/0x25
  56 [66866.540792] RIP: 0033:0x7f6875525c27
  57 [66866.544777] RSP: 002b:00007ffd48528e78 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
  58 [66866.553224] RAX: ffffffffffffffda RBX: 0000000001cc01d0 RCX: 00007f6875525c27
  59 [66866.561185] RDX: 00007f6875596000 RSI: 0000000000000800 RDI: 0000000001cc0238
  60 [66866.569146] RBP: 0000000000000000 R08: 00007f68757e9060 R09: 00007f6875596000
  61 [66866.577120] R10: 00007ffd48528c00 R11: 0000000000000206 R12: 00007ffd48529db4
  62 [66866.585080] R13: 0000000000000000 R14: 0000000001cc01d0 R15: 0000000001cc0010
  63 [66866.593040] Code: 90 0f 1f 44 00 00 48 83 3d a3 8b 03 00 00 55 48 89 e5 53 48 89 fb 74 4e 48 8d bf 18 0c 00 00 e8 9d f2 ff ff 48 8b 83 20 0c 00 00 <48> 8b b8 88 00 00 00 e8 2a 21 b3 e0 48 8b bb 20 0c 00 00 e8 0e
  64 [66866.614127] RIP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] RSP: ffffc90008457da0
  65 [66866.621885] CR2: 0000000000000088
  66 [66866.625618] ---[ end trace c4817425783fb092 ]---
  67
  68 Fix by insuring that upon failure from fault_create_debugfs_attr() the
  69 parent pointer for the routines is always set to NULL and guards added
  70 in the exit routines to insure that debugfs_remove_recursive() is not
  71 called when when the parent pointer is NULL.
  72
  73 Fixes: 0181ce31b260 ("IB/hfi1: Add receive fault injection feature")
  74 Cc: <stable@vger.kernel.org> # 4.14.x
  75 Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
  76 Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
  77 Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
  78 Signed-off-by: Doug Ledford <dledford@redhat.com>
  79 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  80
  81 ---
  82  drivers/infiniband/hw/hfi1/debugfs.c |    8 ++++++--
  83  1 file changed, 6 insertions(+), 2 deletions(-)
  84
  85 --- a/drivers/infiniband/hw/hfi1/debugfs.c
  86 +++ b/drivers/infiniband/hw/hfi1/debugfs.c
  87 @@ -1179,7 +1179,8 @@ DEBUGFS_FILE_OPS(fault_stats);
  88
  89  static void fault_exit_opcode_debugfs(struct hfi1_ibdev *ibd)
  90  {
  91 -       debugfs_remove_recursive(ibd->fault_opcode->dir);
  92 +       if (ibd->fault_opcode)
  93 +               debugfs_remove_recursive(ibd->fault_opcode->dir);
  94         kfree(ibd->fault_opcode);
  95         ibd->fault_opcode = NULL;
  96  }
  97 @@ -1207,6 +1208,7 @@ static int fault_init_opcode_debugfs(str
  98                                           &ibd->fault_opcode->attr);
  99         if (IS_ERR(ibd->fault_opcode->dir)) {
 100                 kfree(ibd->fault_opcode);
 101 +               ibd->fault_opcode = NULL;
 102                 return -ENOENT;
 103         }
 104
 105 @@ -1230,7 +1232,8 @@ fail:
 106
 107  static void fault_exit_packet_debugfs(struct hfi1_ibdev *ibd)
 108  {
 109 -       debugfs_remove_recursive(ibd->fault_packet->dir);
 110 +       if (ibd->fault_packet)
 111 +               debugfs_remove_recursive(ibd->fault_packet->dir);
 112         kfree(ibd->fault_packet);
 113         ibd->fault_packet = NULL;
 114  }
 115 @@ -1256,6 +1259,7 @@ static int fault_init_packet_debugfs(str
 116                                           &ibd->fault_opcode->attr);
 117         if (IS_ERR(ibd->fault_packet->dir)) {
 118                 kfree(ibd->fault_packet);
 119 +               ibd->fault_packet = NULL;
 120                 return -ENOENT;
 121         }
 122