github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
5595f49277
linux/drivers
History
Leon Romanovsky 5595f49277 RDMA/core: Fix protection fault in get_pkey_idx_qp_list 
commit 1dd017882e upstream.

We don't need to set pkey as valid in case that user set only one of pkey
index or port number, otherwise it will be resulted in NULL pointer
dereference while accessing to uninitialized pkey list.  The following
crash from Syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 14753 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:get_pkey_idx_qp_list+0x161/0x2d0
  Code: 01 00 00 49 8b 5e 20 4c 39 e3 0f 84 b9 00 00 00 e8 e4 42 6e fe 48
  8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04
  02 84 c0 74 08 3c 01 0f 8e d0 00 00 00 48 8d 7d 04 48 b8
  RSP: 0018:ffffc9000bc6f950 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82c8bdec
  RDX: 0000000000000002 RSI: ffffc900030a8000 RDI: 0000000000000010
  RBP: ffff888112c8ce80 R08: 0000000000000004 R09: fffff5200178df1f
  R10: 0000000000000001 R11: fffff5200178df1f R12: ffff888115dc4430
  R13: ffff888115da8498 R14: ffff888115dc4410 R15: ffff888115da8000
  FS:  00007f20777de700(0000) GS:ffff88811b100000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000001b2f721000 CR3: 00000001173ca002 CR4: 0000000000360ee0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   port_pkey_list_insert+0xd7/0x7c0
   ib_security_modify_qp+0x6fa/0xfc0
   _ib_modify_qp+0x8c4/0xbf0
   modify_qp+0x10da/0x16d0
   ib_uverbs_modify_qp+0x9a/0x100
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: d291f1a652 ("IB/core: Enforce PKey security on QPs")
Link: https://lore.kernel.org/r/20200212080651.GB679970@unreal
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Message-Id: <20200212080651.GB679970@unreal>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-19 19:51:58 +01:00
..
accessibility
acpi ACPI / battery: Deal better with neither design nor full capacity not being reported 2020-02-11 04:33:59 -08:00
amba
android binder: Handle start==NULL in binder_update_page_range() 2019-12-13 08:52:52 +01:00
ata ahci: Do not export local variable ahci_em_messages 2020-01-27 14:51:07 +01:00
atm atm: eni: fix uninitialized variable warning 2020-02-01 09:37:09 +00:00
auxdisplay
base PM: core: Fix handling of devices deleted during system-wide resume 2020-02-11 04:34:03 -08:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block signal: Allow cifs and drbd to receive their terminating signals 2020-01-27 14:51:05 +01:00
bluetooth Bluetooth: btusb: fix PM leak in error case of setup 2020-01-09 10:19:04 +01:00
bus bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated 2020-01-27 14:50:36 +01:00
cdrom cdrom: respect device capabilities during opening action 2020-01-04 19:13:12 +01:00
char ttyprintk: fix a potential deadlock in interrupt context issue 2020-02-05 14:43:39 +00:00
clk clk: tegra: Mark fuse clock as critical 2020-02-11 04:34:11 -08:00
clocksource clocksource/drivers/exynos_mct: Fix error path in timer resources initialization 2020-01-27 14:50:27 +01:00
connector
cpufreq cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency 2020-01-27 14:50:53 +01:00
cpuidle cpuidle: Do not unset the driver if it is there already 2019-12-17 20:35:00 +01:00
crypto crypto: atmel-sha - fix error handling when setting hmac key 2020-02-14 16:33:27 -05:00
dax
dca
devfreq PM / devfreq: Add new name attribute for sysfs 2020-02-05 14:43:34 +00:00
dio
dma dmaengine: ti: edma: fix missed failure handling 2020-01-27 14:51:22 +01:00
dma-buf dma-buf: Fix memory leak in sync_file_merge() 2019-12-21 10:57:38 +01:00
edac EDAC/mc: Fix edac_mc_find() in case no device is found 2020-01-27 14:50:48 +01:00
eisa
extcon extcon: sm5502: Reset registers during initialization 2019-12-31 16:35:11 +01:00
firewire net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
firmware firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices 2020-01-27 14:51:19 +01:00
fmc
fpga
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss
gpio gpio: zynq: Report gpio direction at boot 2020-02-14 16:33:24 -05:00
gpu drm/dp_mst: Remove VCPI while disabling topology mgr 2020-02-11 04:34:16 -08:00
hid HID: steam: Fix input device disappearing 2020-02-01 09:37:09 +00:00
hsi
hv hv_balloon: Balloon up according to request page number 2020-02-11 04:34:01 -08:00
hwmon hwmon: (nct7802) Fix voltage limits to wrong registers 2020-01-29 16:43:21 +01:00
hwspinlock
hwtracing coresight: tmc-etf: Do not call smp_processor_id from preemptible 2020-01-29 16:43:23 +01:00
i2c i2c: stm32f7: report dma error during probe 2020-01-27 14:51:21 +01:00
ide
idle
iio iio: st_gyro: Correct data for LSM9DS0 gyro 2020-02-01 09:37:04 +00:00
infiniband RDMA/core: Fix protection fault in get_pkey_idx_qp_list 2020-02-19 19:51:58 +01:00
input Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list 2020-02-19 19:51:53 +01:00
iommu iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA 2020-02-14 16:33:26 -05:00
ipack
irqchip irqchip: Place CONFIG_SIFIVE_PLIC into the menu 2020-01-23 08:21:36 +01:00
isdn staging: gigaset: add endpoint-type sanity check 2019-12-17 20:34:33 +01:00
leds led: triggers: Fix dereferencing of null pointer 2020-01-27 14:51:10 +01:00
lightnvm lightnvm: pblk: fix lock order in pblk_rb_tear_down_check 2020-01-27 14:50:45 +01:00
macintosh macintosh/windfarm_smu_sat: Fix debug output 2019-12-01 09:16:37 +01:00
mailbox mailbox: qcom-apcs: fix max_register value 2020-01-27 14:51:14 +01:00
mcb
md bcache: add readahead cache policy options via sysfs interface 2020-02-11 04:34:08 -08:00
media media: i2c: adv748x: Fix unsafe macros 2020-02-14 16:33:27 -05:00
memory memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20 2020-01-27 14:50:13 +01:00
memstick
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:21:28 +01:00
mfd mfd: rn5t618: Mark ADC control register volatile 2020-02-11 04:34:14 -08:00
misc mei: me: add comet point (lake) H device ids 2020-02-01 09:37:04 +00:00
mmc mmc: sdhci-of-at91: fix memleak on clk_get failure 2020-02-11 04:34:00 -08:00
mtd mtd: sharpslpart: Fix unsigned comparison to zero 2020-02-14 16:33:27 -05:00
mux
net libertas: make lbs_ibss_join_existing() return error code on rates overflow 2020-02-14 16:33:27 -05:00
nfc NFC: pn544: Adjust indentation in pn544_hci_check_presence 2020-02-11 04:34:12 -08:00
ntb ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev() 2020-01-27 14:50:55 +01:00
nubus
nvdimm libnvdimm/btt: fix variable 'rc' set but not used 2020-01-04 19:13:00 +01:00
nvme nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info 2020-02-19 19:51:57 +01:00
nvmem nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm 2020-01-27 14:50:58 +01:00
of of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc 2020-02-11 04:34:03 -08:00
opp OPP: Fix missing debugfs supply directory for OPPs 2020-01-27 14:50:04 +01:00
oprofile
parisc
parport parport: load lowlevel driver if ports not found 2019-12-31 16:36:01 +01:00
pci PCI: Don't disable bridge BARs when assigning bus resources 2020-02-14 16:33:23 -05:00
pcmcia
perf
phy phy: qualcomm: Adjust indentation in read_poll_timeout 2020-02-11 04:34:12 -08:00
pinctrl pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B 2020-02-14 16:33:27 -05:00
platform platform/x86: intel_mid_powerbtn: Take a copy of ddata 2020-02-14 16:33:25 -05:00
pnp
power power: supply: ltc2941-battery-gauge: fix use-after-free 2020-02-11 04:34:02 -08:00
powercap
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:21:35 +01:00
pwm pwm: meson: Don't disable PWM when setting duty repeatedly 2020-01-27 14:50:47 +01:00
rapidio drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen() 2020-01-27 14:50:31 +01:00
ras
regulator regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB 2020-01-27 14:50:33 +01:00
remoteproc remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996 2020-01-27 14:50:10 +01:00
reset reset: Fix memory leak in reset_control_array_put() 2019-12-05 09:19:36 +01:00
rpmsg rpmsg: glink: Free pending deferred work on remove 2019-12-21 10:57:30 +01:00
rtc rtc: cmos: Stop using shared IRQ 2020-02-14 16:33:24 -05:00
s390 s390/qeth: Fix initialization of vnicc cmd masks during set online 2020-01-27 14:51:18 +01:00
sbus
scsi scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state 2020-02-14 16:33:28 -05:00
sfi
sh
siox
slimbus slimbus: ngd: Fix build error on x86 2019-12-13 08:51:54 +01:00
sn
soc soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot 2020-02-05 14:43:41 +00:00
soundwire soundwire: intel: fix PDI/stream mapping for Bulk 2019-12-31 16:35:55 +01:00
spi spi: spi-mem: Fix inverted logic in op sanity check 2020-02-14 16:33:24 -05:00
spmi
ssb
staging staging: vt6656: Fix false Tx excessive retries reporting. 2020-02-01 09:37:03 +00:00
target scsi: RDMA/isert: Fix a recently introduced regression related to logout 2020-01-29 16:43:21 +01:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 14:43:50 +00:00
thermal thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power 2020-01-27 14:50:48 +01:00
thunderbolt thunderbolt: Power cycle the router if NVM authentication fails 2019-12-05 09:21:27 +01:00
tty serial: uartps: Move the spinlock after the read of the tx empty 2020-02-14 16:33:28 -05:00
uio driver: uio: fix possible use-after-free in __uio_register_device 2020-01-27 14:50:17 +01:00
usb usb: gadget: f_ecm: Use atomic_t to track in-flight request 2020-02-11 04:33:56 -08:00
uwb
vfio vfio/mdev: Fix aborting mdev child device removal if one fails 2020-01-27 14:50:46 +01:00
vhost vhost/test: stop device before reset 2020-01-27 14:51:19 +01:00
video backlight: pwm_bl: Fix heuristic to determine number of brightness levels 2020-01-27 14:50:58 +01:00
virt
virtio virtio-balloon: fix managed page counts when migrating pages between zones 2019-12-17 20:34:43 +01:00
visorbus
vlynq
vme
w1 w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size). 2019-12-01 09:16:22 +01:00
watchdog watchdog: fix UAF in reboot notifier handling in watchdog core code 2020-02-11 04:34:08 -08:00
xen xen/balloon: Support xend-based toolstack take two 2020-02-11 04:34:08 -08:00
zorro
Kconfig
Makefile