From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Mike Marciniszyn <mike.marciniszyn@intel.com>,
Lukasz Odzioba <lukasz.odzioba@intel.com>,
"Michael J. Ruhl" <michael.j.ruhl@intel.com>,
Dennis Dalessandro <dennis.dalessandro@intel.com>,
Jason Gunthorpe <jgg@mellanox.com>
Subject: [PATCH 4.9 74/94] IB/hfi1: Invalid user input can result in crash
Date: Tue, 2 Oct 2018 06:25:28 -0700 [thread overview]
Message-ID: <20181002132505.626165152@linuxfoundation.org> (raw)
In-Reply-To: <20181002132500.494838053@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael J. Ruhl <michael.j.ruhl@intel.com>
commit 94694d18cf27a6faad91487a38ce516c2b16e7d9 upstream.
If the number of packets in a user sdma request does not match
the actual iovectors being sent, sdma_cleanup can be called on
an uninitialized request structure, resulting in a crash similar
to this:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
PGD 8000001044f61067 PUD 1052706067 PMD 0
Oops: 0000 [#1] SMP
CPU: 30 PID: 69912 Comm: upsm Kdump: loaded Tainted: G OE
------------ 3.10.0-862.el7.x86_64 #1
Hardware name: Intel Corporation S2600KPR/S2600KPR, BIOS
SE5C610.86B.01.01.0019.101220160604 10/12/2016
task: ffff8b331c890000 ti: ffff8b2ed1f98000 task.ti: ffff8b2ed1f98000
RIP: 0010:[<ffffffffc0ae8bb7>] [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0
[hfi1]
RSP: 0018:ffff8b2ed1f9bab0 EFLAGS: 00010286
RAX: 0000000000008b2b RBX: ffff8b2adf6e0000 RCX: 0000000000000000
RDX: 00000000000000a0 RSI: ffff8b2e9eedc540 RDI: ffff8b2adf6e0000
RBP: ffff8b2ed1f9bad8 R08: 0000000000000000 R09: ffffffffc0b04a06
R10: ffff8b331c890190 R11: ffffe6ed00bf1840 R12: ffff8b3315480000
R13: ffff8b33154800f0 R14: 00000000fffffff2 R15: ffff8b2e9eedc540
FS: 00007f035ac47740(0000) GS:ffff8b331e100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000c03fe6000 CR4: 00000000001607e0
Call Trace:
[<ffffffffc0b0570d>] user_sdma_send_pkts+0xdcd/0x1990 [hfi1]
[<ffffffff9fe75fb0>] ? gup_pud_range+0x140/0x290
[<ffffffffc0ad3105>] ? hfi1_mmu_rb_insert+0x155/0x1b0 [hfi1]
[<ffffffffc0b0777b>] hfi1_user_sdma_process_request+0xc5b/0x11b0 [hfi1]
[<ffffffffc0ac193a>] hfi1_aio_write+0xba/0x110 [hfi1]
[<ffffffffa001a2bb>] do_sync_readv_writev+0x7b/0xd0
[<ffffffffa001bede>] do_readv_writev+0xce/0x260
[<ffffffffa022b089>] ? tty_ldisc_deref+0x19/0x20
[<ffffffffa02268c0>] ? n_tty_ioctl+0xe0/0xe0
[<ffffffffa001c105>] vfs_writev+0x35/0x60
[<ffffffffa001c2bf>] SyS_writev+0x7f/0x110
[<ffffffffa051f7d5>] system_call_fastpath+0x1c/0x21
Code: 06 49 c7 47 18 00 00 00 00 0f 87 89 01 00 00 5b 41 5c 41 5d 41 5e 41 5f
5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b 4e 10 48 89 fb <48> 8b 51 08 49 89 d4
83 e2 0c 41 81 e4 00 e0 00 00 48 c1 ea 02
RIP [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
RSP <ffff8b2ed1f9bab0>
CR2: 0000000000000008
There are two exit points from user_sdma_send_pkts(). One (free_tx)
merely frees the slab entry and one (free_txreq) cleans the sdma_txreq
prior to freeing the slab entry. The free_txreq variation can only be
called after one of the sdma_init*() variations has been called.
In the panic case, the slab entry had been allocated but not inited.
Fix the issue by exiting through free_tx thus avoiding sdma_clean().
Cc: <stable@vger.kernel.org> # 4.9.x+
Fixes: 7724105686e7 ("IB/hfi1: add driver files")
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
---
drivers/infiniband/hw/hfi1/user_sdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/hfi1/user_sdma.c
+++ b/drivers/infiniband/hw/hfi1/user_sdma.c
@@ -956,7 +956,7 @@ static int user_sdma_send_pkts(struct us
if (ACCESS_ONCE(iovec->offset) == iovec->iov.iov_len) {
if (++req->iov_idx == req->data_iovs) {
ret = -EFAULT;
- goto free_txreq;
+ goto free_tx;
}
iovec = &req->iovs[req->iov_idx];
WARN_ON(iovec->offset);
next prev parent reply other threads:[~2018-10-02 13:36 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-02 13:24 [PATCH 4.9 00/94] 4.9.131-stable review Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 01/94] crypto: skcipher - Fix -Wstringop-truncation warnings Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 02/94] tsl2550: fix lux1_input error in low light Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 03/94] vmci: type promotion bug in qp_host_get_user_memory() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 04/94] x86/numa_emulation: Fix emulated-to-physical node mapping Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 05/94] staging: rts5208: fix missing error check on call to rtsx_write_register Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 06/94] uwb: hwa-rc: fix memory leak at probe Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 07/94] power: vexpress: fix corruption in notifier registration Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 08/94] iommu/amd: make sure TLB to be flushed before IOVA freed Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 09/94] Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 10/94] USB: serial: kobil_sct: fix modem-status error handling Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 11/94] 6lowpan: iphc: reset mac_header after decompress to fix panic Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 12/94] s390/mm: correct allocate_pgste proc_handler callback Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 13/94] power: remove possible deadlock when unregistering power_supply Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 14/94] md-cluster: clear another nodes suspend_area after the copy is finished Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 15/94] IB/core: type promotion bug in rdma_rw_init_one_mr() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 16/94] media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 17/94] powerpc/kdump: Handle crashkernel memory reservation failure Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 18/94] media: fsl-viu: fix error handling in viu_of_probe() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 19/94] x86/tsc: Add missing header to tsc_msr.c Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 20/94] ARM: hwmod: RTC: Dont assume lock/unlock will be called with irq enabled Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 21/94] x86/entry/64: Add two more instruction suffixes Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 22/94] scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 23/94] scsi: klist: Make it safe to use klists in atomic context Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 24/94] scsi: ibmvscsi: Improve strings handling Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 25/94] usb: wusbcore: security: cast sizeof to int for comparison Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 26/94] powerpc/powernv/ioda2: Reduce upper limit for DMA window size Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 27/94] alarmtimer: Prevent overflow for relative nanosleep Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 28/94] s390/extmem: fix gcc 8 stringop-overflow warning Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 29/94] ALSA: snd-aoa: add of_node_put() in error path Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 30/94] media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 31/94] media: soc_camera: ov772x: correct setting of banding filter Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 32/94] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 33/94] staging: android: ashmem: Fix mmap size validation Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 34/94] drivers/tty: add error handling for pcmcia_loop_config Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 35/94] media: tm6000: add error handling for dvb_register_adapter Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 36/94] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 37/94] net: phy: xgmiitorgmii: Check read_status results Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 38/94] ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 39/94] net: phy: xgmiitorgmii: Check phy_driver ready before accessing Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 40/94] drm/sun4i: Fix releasing node when enumerating enpoints Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 41/94] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 42/94] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 43/94] ARM: mvebu: declare asm symbols as character arrays in pmsu.c Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 44/94] HID: hid-ntrig: add error handling for sysfs_create_group Greg Kroah-Hartman
2018-10-02 13:24 ` [PATCH 4.9 45/94] perf/x86/intel/lbr: Fix incomplete LBR call stack Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 46/94] scsi: bnx2i: add error handling for ioremap_nocache Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 47/94] scsi: megaraid_sas: Update controller info during resume Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 48/94] EDAC, i7core: Fix memleaks and use-after-free on probe and remove Greg Kroah-Hartman
2018-10-02 13:25 ` [4.9,48/94] " Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 49/94] ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 50/94] module: exclude SHN_UNDEF symbols from kallsyms api Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 51/94] gpio: Fix wrong rounding in gpio-menz127 Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 52/94] nfsd: fix corrupted reply to badly ordered compound Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 53/94] EDAC: Fix memleak in module init error path Greg Kroah-Hartman
2018-10-02 13:25 ` [4.9,53/94] " Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 54/94] ARM: dts: dra7: fix DCAN node addresses Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 55/94] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 56/94] tty: serial: lpuart: avoid leaking struct tty_struct Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 57/94] serial: cpm_uart: return immediately from console poll Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 58/94] spi: tegra20-slink: explicitly enable/disable clock Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 59/94] spi: sh-msiof: Fix invalid SPI use during system suspend Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 60/94] spi: sh-msiof: Fix handling of write value for SISTR register Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 61/94] spi: rspi: Fix invalid SPI use during system suspend Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 62/94] spi: rspi: Fix interrupted DMA transfers Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 63/94] regulator: fix crash caused by null driver data Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 64/94] USB: fix error handling in usb_driver_claim_interface() Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 65/94] USB: handle NULL config in usb_find_alt_setting() Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 66/94] slub: make ->cpu_partial unsigned int Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 67/94] media: uvcvideo: Support realteks UVC 1.5 device Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 68/94] USB: usbdevfs: sanitize flags more Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 69/94] USB: usbdevfs: restore warning for nonsensical flags Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 70/94] Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()" Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 71/94] USB: remove LPM management from usb_driver_claim_interface() Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 72/94] Input: elantech - enable middle button of touchpad on ThinkPad P72 Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 73/94] IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop Greg Kroah-Hartman
2018-10-02 13:25 ` Greg Kroah-Hartman [this message]
2018-10-02 13:25 ` [PATCH 4.9 75/94] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 76/94] scsi: target: iscsi: Use bin2hex instead of a re-implementation Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 77/94] serial: imx: restore handshaking irq for imx1 Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 78/94] IB/hfi1: Fix SL array bounds check Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 79/94] arm64: KVM: Tighten guest core register access from userspace Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 80/94] ext4: never move the system.data xattr out of the inode body Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 81/94] qed: Wait for ready indication before rereading the shmem Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 82/94] qed: Wait for MCP halt and resume commands to take place Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 83/94] thermal: of-thermal: disable passive polling when thermal zone is disabled Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 84/94] net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 85/94] net: hns: fix skb->truesize underestimation Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 86/94] e1000: check on netif_running() before calling e1000_up() Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 87/94] e1000: ensure to free old tx/rx rings in set_ringparam() Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 88/94] hwmon: (ina2xx) fix sysfs shunt resistor read access Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 89/94] hwmon: (adt7475) Make adt7475_read_word() return errors Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 90/94] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 91/94] drm/amdgpu: Update power state at the end of smu hw_init Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 92/94] arm/arm64: smccc-1.1: Make return values unsigned long Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 93/94] arm/arm64: smccc-1.1: Handle function result as parameters Greg Kroah-Hartman
2018-10-02 13:25 ` [PATCH 4.9 94/94] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus Greg Kroah-Hartman
2018-10-02 19:19 ` [PATCH 4.9 00/94] 4.9.131-stable review Nathan Chancellor
2018-10-02 20:26 ` Shuah Khan
2018-10-03 12:54 ` Guenter Roeck
2018-10-03 19:50 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181002132505.626165152@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dennis.dalessandro@intel.com \
--cc=jgg@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lukasz.odzioba@intel.com \
--cc=michael.j.ruhl@intel.com \
--cc=mike.marciniszyn@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.