From: Greg Kroah-Hartman Date: Thu, 22 Mar 2018 18:06:37 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.102~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11dae3e5e726117ae49c278552e3cac6202f917c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: clk-migrate-the-count-of-orphaned-clocks-at-init.patch ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch --- diff --git a/queue-4.9/clk-migrate-the-count-of-orphaned-clocks-at-init.patch b/queue-4.9/clk-migrate-the-count-of-orphaned-clocks-at-init.patch new file mode 100644 index 00000000000..80aaa1379d6 --- /dev/null +++ b/queue-4.9/clk-migrate-the-count-of-orphaned-clocks-at-init.patch @@ -0,0 +1,119 @@ +From 99652a469df19086d594e8e89757d4081a812789 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Wed, 14 Feb 2018 14:43:36 +0100 +Subject: clk: migrate the count of orphaned clocks at init + +From: Jerome Brunet + +commit 99652a469df19086d594e8e89757d4081a812789 upstream. + +The orphan clocks reparents should migrate any existing count from the +orphan clock to its new acestor clocks, otherwise we may have +inconsistent counts in the tree and end-up with gated critical clocks + +Assuming we have two clocks, A and B. +* Clock A has CLK_IS_CRITICAL flag set. +* Clock B is an ancestor of A which can gate. Clock B gate is left + enabled by the bootloader. + +Step 1: Clock A is registered. Since it is a critical clock, it is +enabled. The clock being still an orphan, no parent are enabled. + +Step 2: Clock B is registered and reparented to clock A (potentially +through several other clocks). We are now in situation where the enable +count of clock A is 1 while the enable count of its ancestors is 0, which +is not good. + +Step 3: in lateinit, clk_disable_unused() is called, the enable_count of +clock B being 0, clock B is gated and and critical clock A actually gets +disabled. + +This situation was found while adding fdiv_clk gates to the meson8b +platform. These clocks parent clk81 critical clock, which is the mother +of all peripheral clocks in this system. Because of the issue described +here, the system is crashing when clk_disable_unused() is called. + +The situation is solved by reverting +commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting during registration"). +To avoid breaking again the situation described in this commit +description, enabling critical clock should be done before walking the +orphan list. This way, a parent critical clock may not be accidentally +disabled due to the CLK_OPS_PARENT_ENABLE mechanism. + +Fixes: f8f8f1d04494 ("clk: Don't touch hardware when reparenting during registration") +Cc: Stephen Boyd +Cc: Shawn Guo +Cc: Dong Aisheng +Signed-off-by: Jerome Brunet +Tested-by: Marek Szyprowski +Tested-by: Heiko Stuebner +Signed-off-by: Michael Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2438,22 +2438,37 @@ static int __clk_core_init(struct clk_co + core->rate = core->req_rate = rate; + + /* ++ * Enable CLK_IS_CRITICAL clocks so newly added critical clocks ++ * don't get accidentally disabled when walking the orphan tree and ++ * reparenting clocks ++ */ ++ if (core->flags & CLK_IS_CRITICAL) { ++ unsigned long flags; ++ ++ clk_core_prepare(core); ++ ++ flags = clk_enable_lock(); ++ clk_core_enable(core); ++ clk_enable_unlock(flags); ++ } ++ ++ /* + * walk the list of orphan clocks and reparent any that newly finds a + * parent. + */ + hlist_for_each_entry_safe(orphan, tmp2, &clk_orphan_list, child_node) { + struct clk_core *parent = __clk_init_parent(orphan); +- unsigned long flags; + + /* +- * we could call __clk_set_parent, but that would result in a +- * redundant call to the .set_rate op, if it exists ++ * We need to use __clk_set_parent_before() and _after() to ++ * to properly migrate any prepare/enable count of the orphan ++ * clock. This is important for CLK_IS_CRITICAL clocks, which ++ * are enabled during init but might not have a parent yet. + */ + if (parent) { + /* update the clk tree topology */ +- flags = clk_enable_lock(); +- clk_reparent(orphan, parent); +- clk_enable_unlock(flags); ++ __clk_set_parent_before(orphan, parent); ++ __clk_set_parent_after(orphan, parent, NULL); + __clk_recalc_accuracies(orphan); + __clk_recalc_rates(orphan, 0); + } +@@ -2470,16 +2485,6 @@ static int __clk_core_init(struct clk_co + if (core->ops->init) + core->ops->init(core->hw); + +- if (core->flags & CLK_IS_CRITICAL) { +- unsigned long flags; +- +- clk_core_prepare(core); +- +- flags = clk_enable_lock(); +- clk_core_enable(core); +- clk_enable_unlock(flags); +- } +- + kref_init(&core->ref); + out: + clk_prepare_unlock(); diff --git a/queue-4.9/ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch b/queue-4.9/ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch new file mode 100644 index 00000000000..b05bf884f3e --- /dev/null +++ b/queue-4.9/ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch @@ -0,0 +1,73 @@ +From c2b37f76485f073f020e60b5954b6dc4e55f693c Mon Sep 17 00:00:00 2001 +From: Boris Pismenny +Date: Thu, 8 Mar 2018 15:51:41 +0200 +Subject: IB/mlx5: Fix integer overflows in mlx5_ib_create_srq + +From: Boris Pismenny + +commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream. + +This patch validates user provided input to prevent integer overflow due +to integer manipulation in the mlx5_ib_create_srq function. + +Cc: syzkaller +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Boris Pismenny +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------ + include/linux/mlx5/driver.h | 4 ++-- + 2 files changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/srq.c ++++ b/drivers/infiniband/hw/mlx5/srq.c +@@ -243,8 +243,8 @@ struct ib_srq *mlx5_ib_create_srq(struct + { + struct mlx5_ib_dev *dev = to_mdev(pd->device); + struct mlx5_ib_srq *srq; +- int desc_size; +- int buf_size; ++ size_t desc_size; ++ size_t buf_size; + int err; + struct mlx5_srq_attr in = {0}; + __u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz); +@@ -268,15 +268,18 @@ struct ib_srq *mlx5_ib_create_srq(struct + + desc_size = sizeof(struct mlx5_wqe_srq_next_seg) + + srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg); ++ if (desc_size == 0 || srq->msrq.max_gs > desc_size) ++ return ERR_PTR(-EINVAL); + desc_size = roundup_pow_of_two(desc_size); +- desc_size = max_t(int, 32, desc_size); ++ desc_size = max_t(size_t, 32, desc_size); ++ if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) ++ return ERR_PTR(-EINVAL); + srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) / + sizeof(struct mlx5_wqe_data_seg); + srq->msrq.wqe_shift = ilog2(desc_size); + buf_size = srq->msrq.max * desc_size; +- mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n", +- desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs, +- srq->msrq.max_avail_gather); ++ if (buf_size < desc_size) ++ return ERR_PTR(-EINVAL); + in.type = init_attr->srq_type; + + if (pd->uobject) +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -380,8 +380,8 @@ struct mlx5_core_srq { + struct mlx5_core_rsc_common common; /* must be first */ + u32 srqn; + int max; +- int max_gs; +- int max_avail_gather; ++ size_t max_gs; ++ size_t max_avail_gather; + int wqe_shift; + void (*event) (struct mlx5_core_srq *, enum mlx5_event); + diff --git a/queue-4.9/ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch b/queue-4.9/ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch new file mode 100644 index 00000000000..eb3f1fb3df4 --- /dev/null +++ b/queue-4.9/ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch @@ -0,0 +1,198 @@ +From 2c292dbb398ee46fc1343daf6c3cf9715a75688e Mon Sep 17 00:00:00 2001 +From: Boris Pismenny +Date: Thu, 8 Mar 2018 15:51:40 +0200 +Subject: IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq + +From: Boris Pismenny + +commit 2c292dbb398ee46fc1343daf6c3cf9715a75688e upstream. + +Add a check for the length of the qpin structure to prevent out-of-bounds reads + +BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2 +Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549 + +CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware +name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0x8d/0xd4 + print_address_description+0x73/0x290 + kasan_report+0x25c/0x370 + ? create_raw_packet_qp+0x114c/0x15e2 + memcpy+0x1f/0x50 + create_raw_packet_qp+0x114c/0x15e2 + ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d + ? lock_acquire+0x370/0x370 + create_qp_common+0x2245/0x3b50 + ? destroy_qp_user.isra.47+0x100/0x100 + ? kasan_kmalloc+0x13d/0x170 + ? sched_clock_cpu+0x18/0x180 + ? fs_reclaim_acquire.part.15+0x5/0x30 + ? __lock_acquire+0xa11/0x1da0 + ? sched_clock_cpu+0x18/0x180 + ? kmem_cache_alloc_trace+0x17e/0x310 + ? mlx5_ib_create_qp+0x30e/0x17b0 + mlx5_ib_create_qp+0x33d/0x17b0 + ? sched_clock_cpu+0x18/0x180 + ? create_qp_common+0x3b50/0x3b50 + ? lock_acquire+0x370/0x370 + ? __radix_tree_lookup+0x180/0x220 + ? uverbs_try_lock_object+0x68/0xc0 + ? rdma_lookup_get_uobject+0x114/0x240 + create_qp.isra.5+0xce4/0x1e20 + ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0 + ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00 + ? ib_uverbs_cq_event_handler+0x160/0x160 + ? __might_fault+0x17c/0x1c0 + ib_uverbs_create_qp+0x21b/0x2a0 + ? ib_uverbs_destroy_cq+0x2e0/0x2e0 + ib_uverbs_write+0x55a/0xad0 + ? ib_uverbs_destroy_cq+0x2e0/0x2e0 + ? ib_uverbs_destroy_cq+0x2e0/0x2e0 + ? ib_uverbs_open+0x760/0x760 + ? futex_wake+0x147/0x410 + ? check_prev_add+0x1680/0x1680 + ? do_futex+0x3d3/0xa60 + ? sched_clock_cpu+0x18/0x180 + __vfs_write+0xf7/0x5c0 + ? ib_uverbs_open+0x760/0x760 + ? kernel_read+0x110/0x110 + ? lock_acquire+0x370/0x370 + ? __fget+0x264/0x3b0 + vfs_write+0x18a/0x460 + SyS_write+0xc7/0x1a0 + ? SyS_read+0x1a0/0x1a0 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x18/0x85 +RIP: 0033:0x4477b9 +RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9 +RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005 +RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff +R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0 + +Allocated by task 549: + __kmalloc+0x15e/0x340 + kvmalloc_node+0xa1/0xd0 + create_user_qp.isra.46+0xd42/0x1610 + create_qp_common+0x2e63/0x3b50 + mlx5_ib_create_qp+0x33d/0x17b0 + create_qp.isra.5+0xce4/0x1e20 + ib_uverbs_create_qp+0x21b/0x2a0 + ib_uverbs_write+0x55a/0xad0 + __vfs_write+0xf7/0x5c0 + vfs_write+0x18a/0x460 + SyS_write+0xc7/0x1a0 + entry_SYSCALL_64_fastpath+0x18/0x85 + +Freed by task 368: + kfree+0xeb/0x2f0 + kernfs_fop_release+0x140/0x180 + __fput+0x266/0x700 + task_work_run+0x104/0x180 + exit_to_usermode_loop+0xf7/0x110 + syscall_return_slowpath+0x298/0x370 + entry_SYSCALL_64_fastpath+0x83/0x85 + +The buggy address belongs to the object at ffff880066b99180 which +belongs to the cache kmalloc-512 of size 512 The buggy address is +located 272 bytes inside of 512-byte region [ffff880066b99180, +ffff880066b99380) The buggy address belongs to the page: +page:000000006040eedd count:1 mapcount:0 mapping: (null) +index:0x0 compound_mapcount: 0 +flags: 0x4000000000008100(slab|head) +raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019 +raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Cc: syzkaller +Fixes: 0fb2ed66a14c ("IB/mlx5: Add create and destroy functionality for Raw Packet QP") +Signed-off-by: Boris Pismenny +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1130,7 +1130,7 @@ static void destroy_raw_packet_qp_sq(str + ib_umem_release(sq->ubuffer.umem); + } + +-static int get_rq_pas_size(void *qpc) ++static size_t get_rq_pas_size(void *qpc) + { + u32 log_page_size = MLX5_GET(qpc, qpc, log_page_size) + 12; + u32 log_rq_stride = MLX5_GET(qpc, qpc, log_rq_stride); +@@ -1146,7 +1146,8 @@ static int get_rq_pas_size(void *qpc) + } + + static int create_raw_packet_qp_rq(struct mlx5_ib_dev *dev, +- struct mlx5_ib_rq *rq, void *qpin) ++ struct mlx5_ib_rq *rq, void *qpin, ++ size_t qpinlen) + { + struct mlx5_ib_qp *mqp = rq->base.container_mibqp; + __be64 *pas; +@@ -1155,9 +1156,12 @@ static int create_raw_packet_qp_rq(struc + void *rqc; + void *wq; + void *qpc = MLX5_ADDR_OF(create_qp_in, qpin, qpc); +- int inlen; ++ size_t rq_pas_size = get_rq_pas_size(qpc); ++ size_t inlen; + int err; +- u32 rq_pas_size = get_rq_pas_size(qpc); ++ ++ if (qpinlen < rq_pas_size + MLX5_BYTE_OFF(create_qp_in, pas)) ++ return -EINVAL; + + inlen = MLX5_ST_SZ_BYTES(create_rq_in) + rq_pas_size; + in = mlx5_vzalloc(inlen); +@@ -1235,7 +1239,7 @@ static void destroy_raw_packet_qp_tir(st + } + + static int create_raw_packet_qp(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp, +- u32 *in, ++ u32 *in, size_t inlen, + struct ib_pd *pd) + { + struct mlx5_ib_raw_packet_qp *raw_packet_qp = &qp->raw_packet_qp; +@@ -1262,7 +1266,7 @@ static int create_raw_packet_qp(struct m + if (qp->rq.wqe_cnt) { + rq->base.container_mibqp = qp; + +- err = create_raw_packet_qp_rq(dev, rq, in); ++ err = create_raw_packet_qp_rq(dev, rq, in, inlen); + if (err) + goto err_destroy_sq; + +@@ -1753,10 +1757,15 @@ static int create_qp_common(struct mlx5_ + qp->flags |= MLX5_IB_QP_LSO; + } + ++ if (inlen < 0) { ++ err = -EINVAL; ++ goto err; ++ } ++ + if (init_attr->qp_type == IB_QPT_RAW_PACKET) { + qp->raw_packet_qp.sq.ubuffer.buf_addr = ucmd.sq_buf_addr; + raw_packet_qp_copy_info(qp, &qp->raw_packet_qp); +- err = create_raw_packet_qp(dev, qp, in, pd); ++ err = create_raw_packet_qp(dev, qp, in, inlen, pd); + } else { + err = mlx5_core_create_qp(dev->mdev, &base->mqp, in, inlen); + } diff --git a/queue-4.9/rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch b/queue-4.9/rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch new file mode 100644 index 00000000000..37ccfe27205 --- /dev/null +++ b/queue-4.9/rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch @@ -0,0 +1,99 @@ +From 0c81ffc60d5280991773d17e84bda605387148b1 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 13 Mar 2018 18:37:27 +0200 +Subject: RDMA/ucma: Don't allow join attempts for unsupported AF family + +From: Leon Romanovsky + +commit 0c81ffc60d5280991773d17e84bda605387148b1 upstream. + +Users can provide garbage while calling to ucma_join_ip_multicast(), +it will indirectly cause to rdma_addr_size() return 0, making the +call to ucma_process_join(), which had the right checks, but it is +better to check the input as early as possible. + +The following crash from syzkaller revealed it. + +kernel BUG at lib/string.c:1052! +invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 +RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286 +RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000 +RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12 +RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998 +R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00 +FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + memcpy include/linux/string.h:344 [inline] + ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421 + ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633 + __vfs_write+0xef/0x970 fs/read_write.c:480 + vfs_write+0x189/0x510 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0xef/0x220 fs/read_write.c:581 + do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] + do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f9ec99 +RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100 +RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de +55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90 +90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 +RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0 + +Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast") +Reported-by: +Signed-off-by: Leon Romanovsky +Reviewed-by: Sean Hefty +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1330,7 +1330,7 @@ static ssize_t ucma_process_join(struct + return -ENOSPC; + + addr = (struct sockaddr *) &cmd->addr; +- if (!cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr))) ++ if (cmd->addr_size != rdma_addr_size(addr)) + return -EINVAL; + + if (cmd->join_flags == RDMA_MC_JOIN_FLAG_FULLMEMBER) +@@ -1398,6 +1398,9 @@ static ssize_t ucma_join_ip_multicast(st + join_cmd.uid = cmd.uid; + join_cmd.id = cmd.id; + join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); ++ if (!join_cmd.addr_size) ++ return -EINVAL; ++ + join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER; + memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size); + +@@ -1413,6 +1416,9 @@ static ssize_t ucma_join_multicast(struc + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (!rdma_addr_size((struct sockaddr *)&cmd.addr)) ++ return -EINVAL; ++ + return ucma_process_join(file, &cmd, out_len); + } + diff --git a/queue-4.9/rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch b/queue-4.9/rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch new file mode 100644 index 00000000000..eeff701f9cb --- /dev/null +++ b/queue-4.9/rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch @@ -0,0 +1,155 @@ +From 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 13 Mar 2018 11:43:23 +0200 +Subject: RDMA/ucma: Fix access to non-initialized CM_ID object + +From: Leon Romanovsky + +commit 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 upstream. + +The attempt to join multicast group without ensuring that CMA device +exists will lead to the following crash reported by syzkaller. + +[ 64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0 +[ 64.076797] Read of size 8 at addr 00000000000000b0 by task join/691 +[ 64.076797] +[ 64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23 +[ 64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4 +[ 64.076803] Call Trace: +[ 64.076809] dump_stack+0x5c/0x77 +[ 64.076817] kasan_report+0x163/0x380 +[ 64.085859] ? rdma_join_multicast+0x26e/0x12c0 +[ 64.086634] rdma_join_multicast+0x26e/0x12c0 +[ 64.087370] ? rdma_disconnect+0xf0/0xf0 +[ 64.088579] ? __radix_tree_replace+0xc3/0x110 +[ 64.089132] ? node_tag_clear+0x81/0xb0 +[ 64.089606] ? idr_alloc_u32+0x12e/0x1a0 +[ 64.090517] ? __fprop_inc_percpu_max+0x150/0x150 +[ 64.091768] ? tracing_record_taskinfo+0x10/0xc0 +[ 64.092340] ? idr_alloc+0x76/0xc0 +[ 64.092951] ? idr_alloc_u32+0x1a0/0x1a0 +[ 64.093632] ? ucma_process_join+0x23d/0x460 +[ 64.094510] ucma_process_join+0x23d/0x460 +[ 64.095199] ? ucma_migrate_id+0x440/0x440 +[ 64.095696] ? futex_wake+0x10b/0x2a0 +[ 64.096159] ucma_join_multicast+0x88/0xe0 +[ 64.096660] ? ucma_process_join+0x460/0x460 +[ 64.097540] ? _copy_from_user+0x5e/0x90 +[ 64.098017] ucma_write+0x174/0x1f0 +[ 64.098640] ? ucma_resolve_route+0xf0/0xf0 +[ 64.099343] ? rb_erase_cached+0x6c7/0x7f0 +[ 64.099839] __vfs_write+0xc4/0x350 +[ 64.100622] ? perf_syscall_enter+0xe4/0x5f0 +[ 64.101335] ? kernel_read+0xa0/0xa0 +[ 64.103525] ? perf_sched_cb_inc+0xc0/0xc0 +[ 64.105510] ? syscall_exit_register+0x2a0/0x2a0 +[ 64.107359] ? __switch_to+0x351/0x640 +[ 64.109285] ? fsnotify+0x899/0x8f0 +[ 64.111610] ? fsnotify_unmount_inodes+0x170/0x170 +[ 64.113876] ? __fsnotify_update_child_dentry_flags+0x30/0x30 +[ 64.115813] ? ring_buffer_record_is_on+0xd/0x20 +[ 64.117824] ? __fget+0xa8/0xf0 +[ 64.119869] vfs_write+0xf7/0x280 +[ 64.122001] SyS_write+0xa1/0x120 +[ 64.124213] ? SyS_read+0x120/0x120 +[ 64.126644] ? SyS_read+0x120/0x120 +[ 64.128563] do_syscall_64+0xeb/0x250 +[ 64.130732] entry_SYSCALL_64_after_hwframe+0x21/0x86 +[ 64.132984] RIP: 0033:0x7f5c994ade99 +[ 64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99 +[ 64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015 +[ 64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000 +[ 64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0 +[ 64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0 +[ 64.151060] +[ 64.153703] Disabling lock debugging due to kernel taint +[ 64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0 +[ 64.159066] IP: rdma_join_multicast+0x26e/0x12c0 +[ 64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0 +[ 64.164442] Oops: 0000 [#1] SMP KASAN PTI +[ 64.166817] CPU: 1 PID: 691 Comm: join Tainted: G B 4.16.0-rc1-00219-gb97853b65b93 #23 +[ 64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4 +[ 64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0 +[ 64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282 +[ 64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522 +[ 64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297 +[ 64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7 +[ 64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000 +[ 64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400 +[ 64.196105] FS: 00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000 +[ 64.199211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0 +[ 64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 64.211554] Call Trace: +[ 64.213464] ? rdma_disconnect+0xf0/0xf0 +[ 64.216124] ? __radix_tree_replace+0xc3/0x110 +[ 64.219337] ? node_tag_clear+0x81/0xb0 +[ 64.222140] ? idr_alloc_u32+0x12e/0x1a0 +[ 64.224422] ? __fprop_inc_percpu_max+0x150/0x150 +[ 64.226588] ? tracing_record_taskinfo+0x10/0xc0 +[ 64.229763] ? idr_alloc+0x76/0xc0 +[ 64.232186] ? idr_alloc_u32+0x1a0/0x1a0 +[ 64.234505] ? ucma_process_join+0x23d/0x460 +[ 64.237024] ucma_process_join+0x23d/0x460 +[ 64.240076] ? ucma_migrate_id+0x440/0x440 +[ 64.243284] ? futex_wake+0x10b/0x2a0 +[ 64.245302] ucma_join_multicast+0x88/0xe0 +[ 64.247783] ? ucma_process_join+0x460/0x460 +[ 64.250841] ? _copy_from_user+0x5e/0x90 +[ 64.253878] ucma_write+0x174/0x1f0 +[ 64.257008] ? ucma_resolve_route+0xf0/0xf0 +[ 64.259877] ? rb_erase_cached+0x6c7/0x7f0 +[ 64.262746] __vfs_write+0xc4/0x350 +[ 64.265537] ? perf_syscall_enter+0xe4/0x5f0 +[ 64.267792] ? kernel_read+0xa0/0xa0 +[ 64.270358] ? perf_sched_cb_inc+0xc0/0xc0 +[ 64.272575] ? syscall_exit_register+0x2a0/0x2a0 +[ 64.275367] ? __switch_to+0x351/0x640 +[ 64.277700] ? fsnotify+0x899/0x8f0 +[ 64.280530] ? fsnotify_unmount_inodes+0x170/0x170 +[ 64.283156] ? __fsnotify_update_child_dentry_flags+0x30/0x30 +[ 64.286182] ? ring_buffer_record_is_on+0xd/0x20 +[ 64.288749] ? __fget+0xa8/0xf0 +[ 64.291136] vfs_write+0xf7/0x280 +[ 64.292972] SyS_write+0xa1/0x120 +[ 64.294965] ? SyS_read+0x120/0x120 +[ 64.297474] ? SyS_read+0x120/0x120 +[ 64.299751] do_syscall_64+0xeb/0x250 +[ 64.301826] entry_SYSCALL_64_after_hwframe+0x21/0x86 +[ 64.304352] RIP: 0033:0x7f5c994ade99 +[ 64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99 +[ 64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015 +[ 64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000 +[ 64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0 +[ 64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0 +[ 64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8 +[ 64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860 +[ 64.332979] CR2: 00000000000000b0 +[ 64.335550] ---[ end trace 0c00c17a408849c1 ]--- + +Reported-by: +Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") +Signed-off-by: Leon Romanovsky +Reviewed-by: Sean Hefty +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4039,6 +4039,9 @@ int rdma_join_multicast(struct rdma_cm_i + struct cma_multicast *mc; + int ret; + ++ if (!id->device) ++ return -EINVAL; ++ + id_priv = container_of(id, struct rdma_id_private, id); + if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) && + !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED)) diff --git a/queue-4.9/series b/queue-4.9/series index ee48b072810..bcfdcd40b68 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -169,3 +169,8 @@ clk-don-t-touch-hardware-when-reparenting-during-registration.patch clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch +ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch +ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch +clk-migrate-the-count-of-orphaned-clocks-at-init.patch +rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch +rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch