Customer has a repeatable panic in infinband code. In cm_work_handler (the one in cm.c, not iwcm.c) the cm_work structure is retrieved from the work_struct, and the attempt to dereference its mad_recv_wc pointer causes the crash, because the pointer has been incremented by one. vmcores are on megatron.gsslab.rdu.redhat.com in /cores/20101108125468/work and /cores/20101108125467/work Acknowledgements: Red Hat would like to thank Jens Kuehnel for reporting this issue.
They tried the 1.3 kernel and got this backtrace: 6-NOV-2010 01:03:54.36|ott0140.xeop.de login: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 6-NOV-2010 01:03:54.36|IP: [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.36|PGD 620d8b067 PUD 4da801067 PMD 0 6-NOV-2010 01:03:54.36|Oops: 0002 [#1] PREEMPT SMP 6-NOV-2010 01:03:54.36|last sysfs file: /sys/class/infiniband/mlx4_0/node_guid 6-NOV-2010 01:03:54.36|CPU 1 6-NOV-2010 01:03:54.36|Pid: 28628, comm: OFI Not tainted 2.6.33.7-rt29.45.el5rt #1 /ProLiant BL460c G1 6-NOV-2010 01:03:54.36|RIP: 0010:[<ffffffff810c54f0>] [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.36|RSP: 0018:ffff880561a8fd28 EFLAGS: 00010286 6-NOV-2010 01:03:54.41|RAX: 0000000000000000 RBX: ffff880711f84800 RCX: 0000000000000000 6-NOV-2010 01:03:54.41|RDX: 0000000000000000 RSI: 11a0dbc0ffffea00 RDI: 0000000000000000 6-NOV-2010 01:03:54.41|RBP: ffff880561a8fd28 R08: ffff880561a8fd38 R09: ffffffff813552af 6-NOV-2010 01:03:54.41|R10: ffff880730581c00 R11: dead000000200200 R12: ffff880711f84918 6-NOV-2010 01:03:54.41|R13: ffffea0011a0db5c R14: 0000000000000008 R15: ffff8807306dc6e0 6-NOV-2010 01:03:54.41|FS: 00000000421bb940(0063) GS:ffff880028240000(0000) knlGS:0000000000000000 6-NOV-2010 01:03:54.56|CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 6-NOV-2010 01:03:54.56|CR2: 0000000000000008 CR3: 0000000561874000 CR4: 00000000000406e0 6-NOV-2010 01:03:54.56|DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 6-NOV-2010 01:03:54.56|DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 6-NOV-2010 01:03:54.56|Process OFI (pid: 28628, threadinfo ffff880561a8e000, task ffff88059d8ca600) 6-NOV-2010 01:03:54.56|Stack: 6-NOV-2010 01:03:54.56| ffff880561a8fd58 ffffffff810c5e4e ffff880711f84818 ffff880711f84800 6-NOV-2010 01:03:54.56|<0> ffff880711f84918 ffffea0011a0db5c ffff880561a8fda8 ffffffffa02789fa 6-NOV-2010 01:03:54.61|<0> 000000012699c4c8 ffff8807306dc6c0 ffff88082a202800 ffff8807306dc6c0 6-NOV-2010 01:03:54.61|Call Trace: 6-NOV-2010 01:03:54.61| [<ffffffff810c5e4e>] put_page+0x21/0x7a 6-NOV-2010 01:03:54.61| [<ffffffffa02789fa>] __ib_umem_release+0xb2/0xe6 [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa0278fe2>] ib_umem_release+0x26/0xd8 [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa028a0a5>] mlx4_ib_destroy_qp+0x254/0x2eb [mlx4_ib] 6-NOV-2010 01:03:54.61| [<ffffffffa0274c46>] ib_destroy_qp+0x29/0x4f [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa03a311d>] ib_uverbs_destroy_qp+0x94/0x161 [ib_uverbs] 6-NOV-2010 01:03:54.61| [<ffffffffa039fa17>] ib_uverbs_write+0xa6/0xc0 [ib_uverbs] 6-NOV-2010 01:03:54.61| [<ffffffff810f528b>] ? rw_verify_area+0x8d/0xb1 6-NOV-2010 01:03:54.66| [<ffffffff810f56cc>] vfs_write+0xb0/0x10a 6-NOV-2010 01:03:54.66| [<ffffffff810f57ea>] sys_write+0x4c/0x72 6-NOV-2010 01:03:54.66| [<ffffffff81002d1b>] system_call_fastpath+0x16/0x1b 6-NOV-2010 01:03:54.66|Code: c9 c3 55 48 89 e5 0f 1f 44 00 00 66 83 3f 00 79 04 48 8b 7f 10 c9 48 89 f8 c3 55 48 89 e5 0f 1f 44 00 00 e8 da ff ff ff 48 89 c2 <f0> ff 48 08 0f 94 c0 84 c0 74 06 48 89 d7 ff 52 60 c9 c3 55 48 6-NOV-2010 01:03:54.66|RIP [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.71| RSP <ffff880561a8fd28> 6-NOV-2010 01:03:54.71|CR2: 0000000000000008
Proposed patches: [PATCH 1/2] rdma/cm: Fix crash in request handlers http://www.spinics.net/lists/linux-rdma/msg07447.html [PATCH 2/2] ib/cm: Bump reference count on cm_id before invoking callback http://www.spinics.net/lists/linux-rdma/msg07448.html
Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html
Upstream commits: 25ae21a10112875763c18b385624df713a288a05 29963437a48475036353b95ab142bf199adb909e
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0927 https://rhn.redhat.com/errata/RHSA-2011-0927.html