AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-28 11:18:45 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
a72f4ac1d7
linux_dsm_epyc7002/drivers/infiniband/core
History
Avihai Horon a72f4ac1d7 RDMA/core: Fix invalid memory access in spec_filter_size 
Add a check that the size specified in the flow spec header doesn't cause
an overflow when calculating the filter size, and thus prevent access to
invalid memory.  The following crash from syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 17834 Comm: syz-executor.3 Not tainted 5.5.0-rc5 #2
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:memchr_inv+0xd3/0x330
  Code: 89 f9 89 f5 83 e1 07 0f 85 f9 00 00 00 49 89 d5 49 c1 ed 03 45 85
  ed 74 6f 48 89 d9 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 01
  00 0f 85 0d 02 00 00 44 0f b6 e5 48 b8 01 01 01 01 01 01
  RSP: 0018:ffffc9000a13fa50 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 7fff88810de9d820 RCX: 0ffff11021bd3b04
  RDX: 000000000000fff8 RSI: 0000000000000000 RDI: 7fff88810de9d820
  RBP: 0000000000000000 R08: ffff888110d69018 R09: 0000000000000009
  R10: 0000000000000001 R11: ffffed10236267cc R12: 0000000000000004
  R13: 0000000000001fff R14: ffff88810de9d820 R15: 0000000000000040
  FS:  00007f9ee0e51700(0000) GS:ffff88811b100000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000115ea0006 CR4: 0000000000360ee0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   spec_filter_size.part.16+0x34/0x50
   ib_uverbs_kern_spec_to_ib_spec_filter+0x691/0x770
   ib_uverbs_ex_create_flow+0x9ea/0x1b40
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x465b49
  Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
  f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
  f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007f9ee0e50c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
  RDX: 00000000000003a0 RSI: 00000000200007c0 RDI: 0000000000000004
  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ee0e516bc
  R13: 00000000004ca2da R14: 000000000070deb8 R15: 00000000ffffffff
  Modules linked in:
  Dumping ftrace buffer:
     (ftrace buffer empty)

Fixes: 94e03f11ad ("IB/uverbs: Add support for flow tag")
Link: https://lore.kernel.org/r/20200126171500.4623-1-leon@kernel.org
Signed-off-by: Avihai Horon <avihaih@mellanox.com>
Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-02-11 14:14:52 -04:00
..
addr.c RDMA/netlink: Do not always generate an ACK for some netlink operations 2020-01-03 16:02:32 -04:00
agent.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
agent.h
cache.c IB/core: Cut down single member ib_cache structure 2020-01-07 20:18:11 -04:00
cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
cm_msgs.h RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cm.c RDMA/cm: Remove CM message structs 2020-01-25 15:11:37 -04:00
cma_configfs.c RDMA/core: Annotate destroy of mutex to ensure that it is released as unlocked 2019-07-25 12:07:14 -03:00
cma_priv.h IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
cma_trace.c RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma_trace.h RDMA/cma: Add trace points in RDMA Connection Manager 2020-01-07 16:10:53 -04:00
cma.c RDMA/cma: Fix unbalanced cm_id reference count during address resolve 2020-01-28 14:15:23 -04:00
core_priv.h RDMA/core: Do not erase the type of ib_qp.uobject 2020-01-13 16:20:15 -04:00
counters.c RDMA/counter: Prevent auto-binding a QP which are not tracked with res 2019-12-12 15:38:15 -05:00
cq.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
device.c RDMA/core: Remove err in iw_query_port 2020-01-10 11:19:04 -04:00
fmr_pool.c RDMA: Delete DEBUG code 2019-08-20 13:27:53 -04:00
ib_core_uverbs.c RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence 2020-01-25 14:48:33 -04:00
iwcm.c RDMA/iwcm: move iw_rem_ref() calls out of spinlock 2019-10-18 14:40:01 -04:00
iwcm.h iw_cm: free cm_id resources on the last deref 2016-08-02 13:15:18 -04:00
iwpm_msg.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.c RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb" 2019-08-27 13:09:23 -03:00
iwpm_util.h infiniband: fix core/ipwm_util.h kernel-doc warnings 2019-10-22 14:45:31 -03:00
mad_priv.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
mad_rmpp.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c RDMA: Change MAD processing function to remove extra casting and parameter 2019-11-12 20:20:15 -04:00
Makefile RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
mr_pool.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
multicast.c IB/core, ipoib: Do not overreact to SM LID change event 2019-05-07 16:06:03 -03:00
netlink.c IB/core: Avoid deadlock during netlink message handling 2019-10-24 20:49:37 -03:00
nldev.c RDMA/core: Do not erase the type of ib_cq.uobject 2020-01-13 16:20:15 -04:00
opa_smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c RDMA/core: Remove ucontext_lock from the uverbs_destry_ufile_hw() path 2020-01-16 15:55:45 -04:00
rdma_core.h RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
restrack.c RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
restrack.h RDMA/restrack: Remove PID namespace support 2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c drivers: use in_dev_for_each_ifa_rtnl/rcu 2019-06-02 18:06:26 -07:00
rw.c RDMA/rw: Support threshold for registration vs scattering to local pages 2019-10-22 14:26:52 -03:00
sa_query.c RDMA/netlink: Do not always generate an ACK for some netlink operations 2020-01-03 16:02:32 -04:00
sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
security.c IB/core: Fix wrong iterating on ports 2019-10-04 15:50:27 -03:00
smi.c
smi.h RDMA: Start use ib_device_ops 2018-12-12 07:40:16 -07:00
sysfs.c RDMA: Change MAD processing function to remove extra casting and parameter 2019-11-12 20:20:15 -04:00
trace.c RDMA/core: Trace points for diagnosing completion queue issues 2020-01-07 16:10:53 -04:00
ucma.c RDMA: Report available cdevs through RDMA_NLDEV_CMD_GET_CHARDEV 2019-06-18 22:44:08 -04:00
ud_header.c
umem_odp.c RDMA subsystem updates for 5.6 2020-01-31 14:40:36 -08:00
umem.c RDMA subsystem updates for 5.6 2020-01-31 14:40:36 -08:00
user_mad.c Merge branch 'odp_fixes' into rdma.git for-next 2019-08-21 14:10:36 -03:00
uverbs_cmd.c RDMA/core: Fix invalid memory access in spec_filter_size 2020-02-11 14:14:52 -04:00
uverbs_ioctl.c RDMA/core: Do not allow alloc_commit to fail 2020-01-13 16:20:15 -04:00
uverbs_main.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_marshall.c IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *' 2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c RDMA/uverbs: Add ioctl command to get a device context 2020-01-16 15:55:45 -04:00
uverbs_std_types_counters.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c RDMA/core: Use READ_ONCE for ib_ufile.async_file 2020-01-13 16:20:16 -04:00
uverbs_std_types_device.c RDMA/core: Add the core support field to METHOD_GET_CONTEXT 2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
uverbs_std_types.c RDMA/core: Use READ_ONCE for ib_ufile.async_file 2020-01-13 16:20:16 -04:00
uverbs_uapi.c RDMA/core: Make ib_uverbs_async_event_file into a uobject 2020-01-13 16:20:16 -04:00
uverbs.h RDMA/core: Make the entire API tree static 2020-01-30 16:28:52 -04:00
verbs.c Use ODP MRs for kernel ULPs 2020-01-21 09:55:04 -04:00