On 2021/8/23 13:42, Zhu Yanjun wrote:

On Mon, Aug 23, 2021 at 12:37 PM yangx.jy@fujitsu.com
[off-list ref]  wrote:

quoted

On 2021/8/21 15:21, Zhu Yanjun wrote:

quoted

On Fri, Aug 20, 2021 at 6:44 PM Xiao Yang[off-list ref]   wrote:

quoted

1) New index member of struct rxe_queue is introduced but not zeroed
     so the initial value of index may be random.
2) Current index is not masked off to index_mask.
In such case, producer_addr() and consumer_addr() will get an invalid
address by the random index and then accessing the invalid address
triggers the following panic:
"BUG: unable to handle page fault for address: ffff9ae2c07a1414"

Fix the issue by using kzalloc() to zero out index member.

Fixes: 5bcf5a59c41e ("RDMA/rxe: Protext kernel index from user space")
Signed-off-by: Xiao Yang<yangx.jy@fujitsu.com>
---
   drivers/infiniband/sw/rxe/rxe_queue.c | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c b/drivers/infiniband/sw/rxe/rxe_queue.c
index 85b812586ed4..72d95398e604 100644
--- a/drivers/infiniband/sw/rxe/rxe_queue.c
+++ b/drivers/infiniband/sw/rxe/rxe_queue.c

@@ -63,7 +63,7 @@ struct rxe_queue *rxe_queue_init(struct rxe_dev *rxe, int *num_elem,
          if (*num_elem<   0)
                  goto err1;

-       q = kmalloc(sizeof(*q), GFP_KERNEL);
+       q = kzalloc(sizeof(*q), GFP_KERNEL);

Perhaps this is why I can not reproduce this problem in the local host.

Hi Yanjun,

I forgot to say that I reproduced the issue on my local vm.

Which OS are you using to reproduce this problem?

OS is fedora31.

Zhu Yanjun

quoted

Best Regards,
Xiao Yang

quoted

Zhu Yanjun

quoted

          if (!q)
                  goto err1;

--
2.25.1