leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
23ab5261e2
linux/drivers/infiniband/core
History
Avihai Horon 987914ab84 RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow 
After a successful allocation of path_rec, num_paths is set to 1, but any
error after such allocation will leave num_paths uncleared.

This causes to de-referencing a NULL pointer later on. Hence, num_paths
needs to be set back to 0 if such an error occurs.

The following crash from syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
  CPU: 0 PID: 357 Comm: syz-executor060 Not tainted 4.18.0+ #311
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
  RIP: 0010:ib_copy_path_rec_to_user+0x94/0x3e0
  Code: f1 f1 f1 f1 c7 40 0c 00 00 f4 f4 65 48 8b 04 25 28 00 00 00 48 89
  45 c8 31 c0 e8 d7 60 24 ff 48 8d 7b 4c 48 89 f8 48 c1 e8 03 <42> 0f b6
  14 30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
  RSP: 0018:ffff88006586f980 EFLAGS: 00010207
  RAX: 0000000000000009 RBX: 0000000000000000 RCX: 1ffff1000d5fe475
  RDX: ffff8800621e17c0 RSI: ffffffff820d45f9 RDI: 000000000000004c
  RBP: ffff88006586fa50 R08: ffffed000cb0df73 R09: ffffed000cb0df72
  R10: ffff88006586fa70 R11: ffffed000cb0df73 R12: 1ffff1000cb0df30
  R13: ffff88006586fae8 R14: dffffc0000000000 R15: ffff88006aff2200
  FS: 00000000016fc880(0000) GS:ffff88006d000000(0000)
  knlGS:0000000000000000
  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000020000040 CR3: 0000000063fec000 CR4: 00000000000006b0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
  ? ib_copy_path_rec_from_user+0xcc0/0xcc0
  ? __mutex_unlock_slowpath+0xfc/0x670
  ? wait_for_completion+0x3b0/0x3b0
  ? ucma_query_route+0x818/0xc60
  ucma_query_route+0x818/0xc60
  ? ucma_listen+0x1b0/0x1b0
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  ? ucma_listen+0x1b0/0x1b0
  ? ucma_write+0x292/0x460
  ucma_write+0x292/0x460
  ? ucma_close_id+0x60/0x60
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  __vfs_write+0xf7/0x620
  ? ucma_close_id+0x60/0x60
  ? kernel_read+0x110/0x110
  ? time_hardirqs_on+0x19/0x580
  ? lock_acquire+0x18b/0x3a0
  ? finish_task_switch+0xf3/0x5d0
  ? _raw_spin_unlock_irq+0x29/0x40
  ? _raw_spin_unlock_irq+0x29/0x40
  ? finish_task_switch+0x1be/0x5d0
  ? __switch_to_asm+0x34/0x70
  ? __switch_to_asm+0x40/0x70
  ? security_file_permission+0x172/0x1e0
  vfs_write+0x192/0x460
  ksys_write+0xc6/0x1a0
  ? __ia32_sys_read+0xb0/0xb0
  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
  ? do_syscall_64+0x1d/0x470
  do_syscall_64+0x9e/0x470
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3c86aa70bf ("RDMA/cm: Add RDMA CM support for IBoE devices")
Link: https://lore.kernel.org/r/20200318101741.47211-1-leon@kernel.org
Signed-off-by: Avihai Horon <avihaih@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-03-26 14:43:12 -03:00
..
addr.c RDMA/netlink: Do not always generate an ACK for some netlink operations 2020-01-03 16:02:32 -04:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm_msgs.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cm.c RDMA/cm: Make sure the cm_id is in the IB_CM_IDLE state in destroy 2020-03-17 17:05:54 -03:00
cma_configfs.c RDMA/cma: Rename cma_device ref/deref helpers to to get/put 2020-02-11 13:55:13 -04:00
cma_priv.h RDMA/cma: Use refcount API to reflect refcount 2020-02-11 14:00:40 -04:00
cma_trace.c RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma_trace.h RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma.c RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow 2020-03-26 14:43:12 -03:00
core_priv.h RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-04 13:43:02 -04:00
counters.c RDMA/counter: Prevent auto-binding a QP which are not tracked with res 2019-12-12 15:38:15 -05:00
cq.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
device.c RDMA/core: Remove err in iw_query_port 2020-01-10 11:19:04 -04:00
fmr_pool.c RDMA: Delete DEBUG code 2019-08-20 13:27:53 -04:00
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c RDMA/iwcm: Fix iwcm work deallocation 2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.h infiniband: fix core/ipwm_util.h kernel-doc warnings 2019-10-22 14:45:31 -03:00
mad_priv.h RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c RDMA: Change MAD processing function to remove extra casting and parameter 2019-11-12 20:20:15 -04:00
Makefile RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
netlink.c IB/core: Avoid deadlock during netlink message handling 2019-10-24 20:49:37 -03:00
nldev.c RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing 2020-03-04 14:17:10 -04:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA/core: Remove ucontext_lock from the uverbs_destry_ufile_hw() path 2020-01-16 15:55:45 -04:00
rdma_core.h RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
restrack.c RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
restrack.h RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c drivers: use in_dev_for_each_ifa_rtnl/rcu 2019-06-02 18:06:26 -07:00
rw.c RDMA/rw: map P2P memory correctly for signature operations 2020-03-10 12:56:17 -03:00
sa_query.c RDMA: Replace zero-length array with flexible-array member 2020-02-20 13:33:51 -04:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
security.c RDMA/core: Fix pkey and port assignment in get_new_pps 2020-02-28 11:16:08 -04:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA: Change MAD processing function to remove extra casting and parameter 2019-11-12 20:20:15 -04:00
trace.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
ucma.c RDMA/ucma: Put a lock around every call to the rdma_cm layer 2020-02-27 16:40:40 -04:00
ud_header.c
umem_odp.c RDMA/odp: Ensure the mm is still alive before creating an implicit child 2020-03-04 13:56:07 -04:00
umem.c RDMA/core: Add weak ordering dma attr to dma mapping 2020-02-13 13:38:02 -04:00
user_mad.c IB/umad: Fix kernel crash while unloading ib_umad 2020-02-13 10:00:50 -04:00
uverbs_cmd.c RDMA/core: Fix protection fault in ib_mr_pool_destroy 2020-03-04 13:43:02 -04:00
uverbs_ioctl.c RDMA/core: Do not allow alloc_commit to fail 2020-01-13 16:20:15 -04:00
uverbs_main.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_std_types_counters.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c RDMA/core: Use READ_ONCE for ib_ufile.async_file 2020-01-13 16:20:16 -04:00
uverbs_std_types_device.c RDMA/core: Add the core support field to METHOD_GET_CONTEXT 2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
uverbs_std_types.c RDMA/core: Add missing list deletion on freeing event queue 2020-02-13 09:44:49 -04:00
uverbs_uapi.c RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
uverbs.h RDMA/core: Make the entire API tree static 2020-01-30 16:28:52 -04:00
verbs.c RDMA/core: Remove the duplicate header file 2020-03-10 14:34:54 -03:00