--- /dev/null
+From 104f268d439b3c21c83708e52946a4d8d37f3d0f Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:38 +0200
+Subject: IB/uverbs: Improve lockdep_check
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 104f268d439b3c21c83708e52946a4d8d37f3d0f upstream.
+
+This is really being used as an assert that the expected usecnt
+is being held and implicitly that the usecnt is valid. Rename it to
+assert_uverbs_usecnt and tighten the checks to only accept valid
+values of usecnt (eg 0 and < -1 are invalid).
+
+The tigher checkes make the assertion cover more cases and is more
+likely to find bugs via syzkaller/etc.
+
+Fixes: 3832125624b7 ("IB/core: Add support for idr types")
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/rdma_core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/core/rdma_core.c
++++ b/drivers/infiniband/core/rdma_core.c
+@@ -407,13 +407,13 @@ static int __must_check remove_commit_fd
+ return ret;
+ }
+
+-static void lockdep_check(struct ib_uobject *uobj, bool exclusive)
++static void assert_uverbs_usecnt(struct ib_uobject *uobj, bool exclusive)
+ {
+ #ifdef CONFIG_LOCKDEP
+ if (exclusive)
+- WARN_ON(atomic_read(&uobj->usecnt) > 0);
++ WARN_ON(atomic_read(&uobj->usecnt) != -1);
+ else
+- WARN_ON(atomic_read(&uobj->usecnt) == -1);
++ WARN_ON(atomic_read(&uobj->usecnt) <= 0);
+ #endif
+ }
+
+@@ -452,7 +452,7 @@ int __must_check rdma_remove_commit_uobj
+ WARN(true, "ib_uverbs: Cleanup is running while removing an uobject\n");
+ return 0;
+ }
+- lockdep_check(uobj, true);
++ assert_uverbs_usecnt(uobj, true);
+ ret = _rdma_remove_commit_uobject(uobj, RDMA_REMOVE_DESTROY);
+
+ up_read(&ucontext->cleanup_rwsem);
+@@ -482,7 +482,7 @@ int rdma_explicit_destroy(struct ib_uobj
+ WARN(true, "ib_uverbs: Cleanup is running while removing an uobject\n");
+ return 0;
+ }
+- lockdep_check(uobject, true);
++ assert_uverbs_usecnt(uobject, true);
+ ret = uobject->type->type_class->remove_commit(uobject,
+ RDMA_REMOVE_DESTROY);
+ if (ret)
+@@ -569,7 +569,7 @@ static void lookup_put_fd_uobject(struct
+
+ void rdma_lookup_put_uobject(struct ib_uobject *uobj, bool exclusive)
+ {
+- lockdep_check(uobj, exclusive);
++ assert_uverbs_usecnt(uobj, exclusive);
+ uobj->type->type_class->lookup_put(uobj, exclusive);
+ /*
+ * In order to unlock an object, either decrease its usecnt for
--- /dev/null
+From a5dcb73b96a9d21431048bdaac02d9e96f386da3 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 28 Feb 2018 12:44:09 +0100
+Subject: net/smc: fix NULL pointer dereference on sock_create_kern() error path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit a5dcb73b96a9d21431048bdaac02d9e96f386da3 upstream.
+
+when sock_create_kern(..., a) returns an error, 'a' might not be a valid
+pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and
+and a->sk->sk_rcvbuf; not doing that caused the following crash:
+
+general protection fault: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4254 Comm: syzkaller919713 Not tainted 4.16.0-rc1+ #18
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:smc_create+0x14e/0x300 net/smc/af_smc.c:1410
+RSP: 0018:ffff8801b06afbc8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff8801b63457c0 RCX: ffffffff85a3e746
+RDX: 0000000000000004 RSI: 00000000ffffffff RDI: 0000000000000020
+RBP: ffff8801b06afbf0 R08: 00000000000007c0 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffff8801b6345c08 R14: 00000000ffffffe9 R15: ffffffff8695ced0
+FS: 0000000001afb880(0000) GS:ffff8801db200000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000040 CR3: 00000001b0721004 CR4: 00000000001606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __sock_create+0x4d4/0x850 net/socket.c:1285
+ sock_create net/socket.c:1325 [inline]
+ SYSC_socketpair net/socket.c:1409 [inline]
+ SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366
+ do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x4404b9
+RSP: 002b:00007fff44ab6908 EFLAGS: 00000246 ORIG_RAX: 0000000000000035
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004404b9
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002b
+RBP: 00007fff44ab6910 R08: 0000000000000002 R09: 00007fff44003031
+R10: 0000000020000040 R11: 0000000000000246 R12: ffffffffffffffff
+R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000
+Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 01 00 00 4c 8b a3 48 04 00 00 48
+b8
+00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02
+00
+0f 85 82 01 00 00 4d 8b 7c 24 20 48 b8 00 00 00 00
+RIP: smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: ffff8801b06afbc8
+
+Fixes: cd6851f30386 smc: remote memory buffers (RMBs)
+Reported-and-tested-by: syzbot+aa0227369be2dcc26ebe@syzkaller.appspotmail.com
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/smc/af_smc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1351,8 +1351,10 @@ static int smc_create(struct net *net, s
+ smc->use_fallback = false; /* assume rdma capability first */
+ rc = sock_create_kern(net, PF_INET, SOCK_STREAM,
+ IPPROTO_TCP, &smc->clcsock);
+- if (rc)
++ if (rc) {
+ sk_common_release(sk);
++ goto out;
++ }
+ smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE);
+ smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE);
+
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
-index b5cfdaa9c7c8..15457c9569a7 100644
+---
+ drivers/infiniband/hw/mlx5/cq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
-@@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
+@@ -1154,7 +1154,12 @@ static int resize_user(struct mlx5_ib_de
if (ucmd.reserved0 || ucmd.reserved1)
return -EINVAL;
rdma-ucma-limit-possible-option-size.patch
rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch
rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch
+ib-uverbs-improve-lockdep_check.patch
+net-smc-fix-null-pointer-dereference-on-sock_create_kern-error-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
