redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/infiniband/core
History
Avihai Horon d020ff5060 RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow 
commit 987914ab84 upstream.

After a successful allocation of path_rec, num_paths is set to 1, but any
error after such allocation will leave num_paths uncleared.

This causes to de-referencing a NULL pointer later on. Hence, num_paths
needs to be set back to 0 if such an error occurs.

The following crash from syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
  CPU: 0 PID: 357 Comm: syz-executor060 Not tainted 4.18.0+ #311
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
  RIP: 0010:ib_copy_path_rec_to_user+0x94/0x3e0
  Code: f1 f1 f1 f1 c7 40 0c 00 00 f4 f4 65 48 8b 04 25 28 00 00 00 48 89
  45 c8 31 c0 e8 d7 60 24 ff 48 8d 7b 4c 48 89 f8 48 c1 e8 03 <42> 0f b6
  14 30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
  RSP: 0018:ffff88006586f980 EFLAGS: 00010207
  RAX: 0000000000000009 RBX: 0000000000000000 RCX: 1ffff1000d5fe475
  RDX: ffff8800621e17c0 RSI: ffffffff820d45f9 RDI: 000000000000004c
  RBP: ffff88006586fa50 R08: ffffed000cb0df73 R09: ffffed000cb0df72
  R10: ffff88006586fa70 R11: ffffed000cb0df73 R12: 1ffff1000cb0df30
  R13: ffff88006586fae8 R14: dffffc0000000000 R15: ffff88006aff2200
  FS: 00000000016fc880(0000) GS:ffff88006d000000(0000)
  knlGS:0000000000000000
  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000020000040 CR3: 0000000063fec000 CR4: 00000000000006b0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
  ? ib_copy_path_rec_from_user+0xcc0/0xcc0
  ? __mutex_unlock_slowpath+0xfc/0x670
  ? wait_for_completion+0x3b0/0x3b0
  ? ucma_query_route+0x818/0xc60
  ucma_query_route+0x818/0xc60
  ? ucma_listen+0x1b0/0x1b0
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  ? ucma_listen+0x1b0/0x1b0
  ? ucma_write+0x292/0x460
  ucma_write+0x292/0x460
  ? ucma_close_id+0x60/0x60
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  __vfs_write+0xf7/0x620
  ? ucma_close_id+0x60/0x60
  ? kernel_read+0x110/0x110
  ? time_hardirqs_on+0x19/0x580
  ? lock_acquire+0x18b/0x3a0
  ? finish_task_switch+0xf3/0x5d0
  ? _raw_spin_unlock_irq+0x29/0x40
  ? _raw_spin_unlock_irq+0x29/0x40
  ? finish_task_switch+0x1be/0x5d0
  ? __switch_to_asm+0x34/0x70
  ? __switch_to_asm+0x40/0x70
  ? security_file_permission+0x172/0x1e0
  vfs_write+0x192/0x460
  ksys_write+0xc6/0x1a0
  ? __ia32_sys_read+0xb0/0xb0
  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
  ? do_syscall_64+0x1d/0x470
  do_syscall_64+0x9e/0x470
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3c86aa70bf ("RDMA/cm: Add RDMA CM support for IBoE devices")
Link: https://lore.kernel.org/r/20200318101741.47211-1-leon@kernel.org
Signed-off-by: Avihai Horon <avihaih@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-13 10:48:14 +02:00
..
addr.c
agent.c
agent.h
cache.c
cgroup.c
cm.c RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() 2020-03-12 13:00:29 +01:00
cm_msgs.h
cma.c RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow 2020-04-13 10:48:14 +02:00
cma_configfs.c
cma_priv.h
core_priv.h RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00
counters.c
cq.c
device.c RDMA/core: Fix missing error check on dev_set_name() 2020-04-01 11:01:58 +02:00
fmr_pool.c
iwcm.c RDMA/iwcm: Fix iwcm work deallocation 2020-03-12 13:00:29 +01:00
iwcm.h
iwpm_msg.c
iwpm_util.c
iwpm_util.h
mad.c
mad_priv.h
mad_rmpp.c
mad_rmpp.h
Makefile
mr_pool.c
multicast.c
netlink.c
nldev.c RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET 2020-04-01 11:01:58 +02:00
opa_smi.h
packer.c
rdma_core.c
rdma_core.h
restrack.c
restrack.h
roce_gid_mgmt.c
rw.c RDMA/rw: Fix error flow during RDMA context initialization 2020-03-12 13:00:29 +01:00
sa.h
sa_query.c
security.c RDMA/core: Ensure security pkey modify is not lost 2020-04-01 11:02:04 +02:00
smi.c
smi.h
sysfs.c
ucma.c RDMA/ucma: Put a lock around every call to the rdma_cm layer 2020-04-13 10:48:12 +02:00
ud_header.c
umem.c
umem_odp.c
user_mad.c RDMA/mad: Do not crash if the rdma device does not have a umad interface 2020-04-01 11:01:58 +02:00
uverbs.h
uverbs_cmd.c RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00
uverbs_ioctl.c
uverbs_main.c
uverbs_marshall.c
uverbs_std_types.c
uverbs_std_types_counters.c
uverbs_std_types_cq.c
uverbs_std_types_device.c
uverbs_std_types_dm.c
uverbs_std_types_flow_action.c
uverbs_std_types_mr.c
uverbs_uapi.c
verbs.c RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-12 13:00:29 +01:00