drivers/infiniband/core/cq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
From: luoqing <luoqing@kylinos.cn>
When the kernel allocates memory for completion queue object ib_cq on the specified
InfiniBand device dev and ensures that the allocated memory is cleared to zero,
if the ib_cq object is not initialized to 0, a non-null value is still returned,
and the kernel should exit and give a warning.
Avoid kernel crash when this memory is initialized.
ib_mad_init_device
-->ib_mad_port_open
-->__ib_alloc_cq
-->rdma_zalloc_drv_obj(dev, ib_cq);
#8 [ffff80211b3c7430] do_mem_abort at ffff4bedae5912c4
#9 [ffff80211b3c7610] el1_ia at ffff4bedae592f8c
PC: ffff4bed866f5aac [__ib_alloc_cq+100]
LR: ffff4bed866f5a98 [__ib_alloc_cq+80]
SP: ffff80211b3c7620 PSTATE: 60400009
X29: ffff80211b3c7620 X28: ffff4bedae5c7a70 X27: 0000000000000000
X26: ffff4bed86737680 X25: ffff8020b62f4000 X24: 0000000000000002
X23: 0000000000000280 X22: ffff4bedaf8a4d28 X21: ffff8020ca8d0000
X20: 0000000000000000 X19: 0000000000000010 X18: ffff80211b3c7410
X17: 00000000172acefd X16: ffff4bedae8603e8 X15: 00000000b19d2ea3
X14: 000000000950e09b X13: 000000009bd4e304 X12: 00000000f81e149c
X11: 0000000096b29e56 X10: 0000000000000f70 X9: ffff80211b3c7360
X8: ffff80211b4e9350 X7: 0000000000000000 X6: ffff4bedaf2d08f0
X5: ffff4bed86737680 X4: 0000000000000002 X3: 0000000000000000
X2: 0000000000000280 X1: 00000000006080c0 X0: 0000000000000010
X2: 0000000000000280 X1: 00000000006080c0 X0: 0000000000000010
#10 [ffff80211b3c7620] __ib_alloc_cq at ffff4bed866f5aa8 [ib_core]
#11 [ffff80211b3c7690] ib_mad_port_open at ffff4bed86711338 [ib_core]
#12 [ffff80211b3c7710] ib_mad_init_device at ffff4bed867118d0 [ib_core]
#13 [ffff80211b3c7760] add_client_context at ffff4bed866fca40 [ib_core]
#14 [ffff80211b3c77a0] enable_device_and_get at ffff4bed866fcb90 [ib_core]
#15 [ffff80211b3c77f0] ib_register_device at ffff4bed866fd750 [ib_core]
#16 [ffff80211b3c78b0] irdma_ib_register_device at ffff4bed81ea3d20 [irdma]
#17 [ffff80211b3c7920] irdma_probe at ffff4bed81e7130c [irdma]
When ib_cq is zero, the return value of cq is ZERO_SIZE_PTR ((void *)16) and is not non-null
cq = rdma_zalloc_drv_obj(dev, ib_cq);
Signed-off-by: luoqing <luoqing@kylinos.cn>
---
drivers/infiniband/core/cq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c
index a70876a0a231..90ea9fc99fb7 100644
--- a/drivers/infiniband/core/cq.c
+++ b/drivers/infiniband/core/cq.c
@@ -221,7 +221,7 @@ struct ib_cq *__ib_alloc_cq(struct ib_device *dev, void *private, int nr_cqe,
int ret = -ENOMEM;
cq = rdma_zalloc_drv_obj(dev, ib_cq);
- if (!cq)
+ if (unlikely(ZERO_OR_NULL_PTR(cq)))
return ERR_PTR(ret);
cq->device = dev;
--
2.27.0On Mon, Apr 07, 2025 at 05:33:41PM +0800, luoqing wrote: > From: luoqing <luoqing@kylinos.cn> > > When the kernel allocates memory for completion queue object ib_cq on the specified > InfiniBand device dev and ensures that the allocated memory is cleared to zero, > if the ib_cq object is not initialized to 0, a non-null value is still returned, > and the kernel should exit and give a warning. > Avoid kernel crash when this memory is initialized. ?? This doesn't make any sense. > ib_mad_init_device > -->ib_mad_port_open > -->__ib_alloc_cq > -->rdma_zalloc_drv_obj(dev, ib_cq); rdma_zalloc_drv_obj() must return memory that is validly castable to the struct ib_cq. > When ib_cq is zero, the return value of cq is ZERO_SIZE_PTR ((void *)16) and is not non-null > cq = rdma_zalloc_drv_obj(dev, ib_cq); It looks to me like the driver returned the wrong size for the ib_cq in the ops->size_ib_cq. It is not allowed to be 0 if the driver is supporting cq. Arguably we should check that the size_* pointers have the requirement minimum size when registering the driver. Allocation time is too late. Jason
© 2016 - 2026 Red Hat, Inc.