qiurui
/
linux-kernelorg-stable
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-kernelorg-stable/drivers/infiniband/core
History
Leon Romanovsky 1dd017882e RDMA/core: Fix protection fault in get_pkey_idx_qp_list 
We don't need to set pkey as valid in case that user set only one of pkey
index or port number, otherwise it will be resulted in NULL pointer
dereference while accessing to uninitialized pkey list.  The following
crash from Syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 14753 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:get_pkey_idx_qp_list+0x161/0x2d0
  Code: 01 00 00 49 8b 5e 20 4c 39 e3 0f 84 b9 00 00 00 e8 e4 42 6e fe 48
  8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04
  02 84 c0 74 08 3c 01 0f 8e d0 00 00 00 48 8d 7d 04 48 b8
  RSP: 0018:ffffc9000bc6f950 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82c8bdec
  RDX: 0000000000000002 RSI: ffffc900030a8000 RDI: 0000000000000010
  RBP: ffff888112c8ce80 R08: 0000000000000004 R09: fffff5200178df1f
  R10: 0000000000000001 R11: fffff5200178df1f R12: ffff888115dc4430
  R13: ffff888115da8498 R14: ffff888115dc4410 R15: ffff888115da8000
  FS:  00007f20777de700(0000) GS:ffff88811b100000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000001b2f721000 CR3: 00000001173ca002 CR4: 0000000000360ee0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   port_pkey_list_insert+0xd7/0x7c0
   ib_security_modify_qp+0x6fa/0xfc0
   _ib_modify_qp+0x8c4/0xbf0
   modify_qp+0x10da/0x16d0
   ib_uverbs_modify_qp+0x9a/0x100
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: d291f1a652 ("IB/core: Enforce PKey security on QPs")
Link: https://lore.kernel.org/r/20200212080651.GB679970@unreal
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Message-Id: <20200212080651.GB679970@unreal>
 		2020-02-13 12:31:56 -04:00
..
Makefile RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
addr.c
agent.c
agent.h
cache.c
cgroup.c
cm.c RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cm_msgs.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cma.c RDMA/cma: Fix unbalanced cm_id reference count during address resolve 2020-01-28 14:15:23 -04:00
cma_configfs.c
cma_priv.h
cma_trace.c
cma_trace.h
core_priv.h RDMA/core: Do not erase the type of ib_qp.uobject 2020-01-13 16:20:15 -04:00
counters.c
cq.c
device.c
fmr_pool.c
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c
iwcm.h
iwpm_msg.c
iwpm_util.c
iwpm_util.h
mad.c
mad_priv.h
mad_rmpp.c
mad_rmpp.h
mr_pool.c
multicast.c
netlink.c
nldev.c RDMA/core: Do not erase the type of ib_cq.uobject 2020-01-13 16:20:15 -04:00
opa_smi.h
packer.c
rdma_core.c RDMA/core: Remove ucontext_lock from the uverbs_destry_ufile_hw() path 2020-01-16 15:55:45 -04:00
rdma_core.h RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
restrack.c
restrack.h
roce_gid_mgmt.c
rw.c
sa.h
sa_query.c
security.c RDMA/core: Fix protection fault in get_pkey_idx_qp_list 2020-02-13 12:31:56 -04:00
smi.c
smi.h
sysfs.c
trace.c
ucma.c
ud_header.c
umem.c RDMA subsystem updates for 5.6 2020-01-31 14:40:36 -08:00
umem_odp.c RDMA subsystem updates for 5.6 2020-01-31 14:40:36 -08:00
user_mad.c IB/umad: Fix kernel crash while unloading ib_umad 2020-02-13 10:00:50 -04:00
uverbs.h RDMA/core: Make the entire API tree static 2020-01-30 16:28:52 -04:00
uverbs_cmd.c RDMA/core: Fix invalid memory access in spec_filter_size 2020-02-11 14:14:52 -04:00
uverbs_ioctl.c RDMA/core: Do not allow alloc_commit to fail 2020-01-13 16:20:15 -04:00
uverbs_main.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_marshall.c
uverbs_std_types.c RDMA/core: Add missing list deletion on freeing event queue 2020-02-13 09:44:49 -04:00
uverbs_std_types_async_fd.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_std_types_counters.c
uverbs_std_types_cq.c RDMA/core: Use READ_ONCE for ib_ufile.async_file 2020-01-13 16:20:16 -04:00
uverbs_std_types_device.c RDMA/core: Add the core support field to METHOD_GET_CONTEXT 2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c
uverbs_std_types_flow_action.c
uverbs_std_types_mr.c
uverbs_uapi.c RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
verbs.c Use ODP MRs for kernel ULPs 2020-01-21 09:55:04 -04:00