linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-13 05:54:23 +08:00

History

Jason Gunthorpe 31142a4ba6 RDMA/cm: Add min length checks to user structure copies These are missing throughout ucma, it harmlessly copies garbage from userspace, but in this new code which uses min to compute the copy length it can result in uninitialized stack memory. Check for minimum length at the very start. BUG: KMSAN: uninit-value in ucma_connect+0x2aa/0xab0 drivers/infiniband/core/ucma.c:1091 CPU: 0 PID: 8457 Comm: syz-executor069 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1df/0x240 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 ucma_connect+0x2aa/0xab0 drivers/infiniband/core/ucma.c:1091 ucma_write+0x5c5/0x630 drivers/infiniband/core/ucma.c:1764 do_loop_readv_writev fs/read_write.c:737 [inline] do_iter_write+0x710/0xdc0 fs/read_write.c:1020 vfs_writev fs/read_write.c:1091 [inline] do_writev+0x42d/0x8f0 fs/read_write.c:1134 __do_sys_writev fs/read_write.c:1207 [inline] __se_sys_writev+0x9b/0xb0 fs/read_write.c:1204 __x64_sys_writev+0x4a/0x70 fs/read_write.c:1204 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: `34e2ab57a9` ("RDMA/ucma: Extend ucma_connect to receive ECE parameters") Fixes: `0cb15372a6` ("RDMA/cma: Connect ECE to rdma_accept") Link: https://lore.kernel.org/r/0-v1-d5b86dab17dc+28c25-ucma_syz_min_jgg@nvidia.com Reported-by: syzbot+086ab5ca9eafd2379aa6@syzkaller.appspotmail.com Reported-by: syzbot+7446526858b83c8828b2@syzkaller.appspotmail.com Reviewed-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>		2020-07-27 11:50:00 -03:00
..
addr.c	RDMA/addr: Mark addr_resolve as might_sleep()	2020-05-12 21:32:52 -03:00
agent.c	RDMA: Mark if destroy address handle is in a sleepable context	2018-12-19 16:28:03 -07:00
agent.h
cache.c	IB/core: Fix potential NULL pointer dereference in pkey cache	2020-05-12 11:47:48 -03:00
cgroup.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288	2019-06-05 17:36:37 +02:00
cm_msgs.h	RDMA/cm: Remove CM message structs	2020-01-25 15:11:37 -04:00
cm.c	RDMA/cm: Protect access to remote_sidr_table	2020-07-16 09:58:53 -03:00
cma_configfs.c	IB/cma: Fix ports memory leak in cma_configfs	2020-05-22 15:37:19 -03:00
cma_priv.h	RDMA/ucma: Extend ucma_connect to receive ECE parameters	2020-05-27 16:05:05 -03:00
cma_trace.c	RDMA/cma: Add trace points in RDMA Connection Manager	2020-01-07 16:10:53 -04:00
cma_trace.h	RDMA/core: Move and rename trace_cm_id_create()	2020-06-02 20:32:54 -03:00
cma.c	RDMA/cma: Protect bind_list and listen_list while finding matching cm id	2020-06-18 09:48:54 -03:00
core_priv.h	RDMA/core: Introduce shared CQ pool API	2020-05-29 16:09:02 -03:00
counters.c	RDMA/counter: Query a counter before release	2020-06-22 14:36:56 -03:00
cq.c	RDMA/core: Introduce shared CQ pool API	2020-05-29 16:09:02 -03:00
device.c	RDMA/core: Remove FMR device ops	2020-06-02 20:32:54 -03:00
ib_core_uverbs.c	RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence	2020-01-25 14:48:33 -04:00
iwcm.c	RDMA/iwcm: Fix iwcm work deallocation	2020-03-04 14:28:25 -04:00
iwcm.h
iwpm_msg.c	RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"	2019-08-27 13:09:23 -03:00
iwpm_util.c	RDMA/iwpm: Delete unnecessary checks before the macro call "dev_kfree_skb"	2019-08-27 13:09:23 -03:00
iwpm_util.h	infiniband: fix core/ipwm_util.h kernel-doc warnings	2019-10-22 14:45:31 -03:00
lag.c	RDMA/core: Consider flow label when building skb	2020-05-06 16:51:43 -03:00
mad_priv.h	RDMA: Replace zero-length array with flexible-array member	2020-02-20 13:33:51 -04:00
mad_rmpp.c	RDMA: Mark if destroy address handle is in a sleepable context	2018-12-19 16:28:03 -07:00
mad_rmpp.h
mad.c	IB/mad: Fix use after free when destroying MAD agent	2020-06-22 14:57:44 -03:00
Makefile	RDMA/core: Remove FMR pool API	2020-06-02 20:32:53 -03:00
mr_pool.c	Linux 5.2-rc6	2019-06-28 21:18:23 -03:00
multicast.c	RDMA: Allow ib_client's to fail when add() is called	2020-05-06 11:57:33 -03:00
netlink.c	IB/core: Avoid deadlock during netlink message handling	2019-10-24 20:49:37 -03:00
nldev.c	RDMA/core: Fix double put of resource	2020-05-12 11:47:48 -03:00
opa_smi.h	RDMA: Start use ib_device_ops	2018-12-12 07:40:16 -07:00
packer.c
rdma_core.c	RDMA/core: Fix race in rdma_alloc_commit_uobject()	2020-07-16 09:58:53 -03:00
rdma_core.h	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
restrack.c	RDMA/restrack: Remove PID namespace support	2019-10-23 15:58:31 -03:00
restrack.h	RDMA/restrack: Remove PID namespace support	2019-10-23 15:58:31 -03:00
roce_gid_mgmt.c	drivers: use in_dev_for_each_ifa_rtnl/rcu	2019-06-02 18:06:26 -07:00
rw.c	RDMA/rw: use DIV_ROUND_UP to calculate nr_ops	2020-04-15 11:34:49 -03:00
sa_query.c	IB/sa: Resolv use-after-free in ib_nl_make_request()	2020-07-02 16:05:12 -03:00
sa.h	RDMA/core: Annotate timeout as unsigned long	2018-10-16 13:34:01 -04:00
security.c	RDMA/core: Ensure security pkey modify is not lost	2020-03-24 19:53:25 -03:00
smi.c
smi.h	RDMA: Start use ib_device_ops	2018-12-12 07:40:16 -07:00
sysfs.c	RDMA/core: Fix several reference count leaks.	2020-05-29 15:35:49 -03:00
trace.c	RDMA/core: Trace points for diagnosing completion queue issues	2020-01-07 16:10:53 -04:00
ucma.c	RDMA/cm: Add min length checks to user structure copies	2020-07-27 11:50:00 -03:00
ud_header.c	RDMA/core: Use sizeof_field() helper	2020-05-27 13:46:05 -03:00
umem_odp.c	mmap locking API: use coccinelle to convert mmap_sem rwsem call sites	2020-06-09 09:39:14 -07:00
umem.c	RDMA/core: Add weak ordering dma attr to dma mapping	2020-02-13 13:38:02 -04:00
user_mad.c	RDMA: Allow ib_client's to fail when add() is called	2020-05-06 11:57:33 -03:00
uverbs_cmd.c	RDMA: Remove 'max_map_per_fmr'	2020-06-02 20:32:54 -03:00
uverbs_ioctl.c	RDMA/core: Use sizeof_field() helper	2020-05-27 13:46:05 -03:00
uverbs_main.c	mmap locking API: convert mmap_sem comments	2020-06-09 09:39:14 -07:00
uverbs_marshall.c	IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *'	2018-06-25 14:19:57 -06:00
uverbs_std_types_async_fd.c	RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj	2020-05-12 17:02:25 -03:00
uverbs_std_types_counters.c	IB: When attrs.udata/ufile is available use that instead of uobject	2019-04-08 13:05:25 -03:00
uverbs_std_types_cq.c	IB/uverbs: Extend CQ to get its own asynchronous event FD	2020-05-21 20:34:53 -03:00
uverbs_std_types_device.c	RDMA/core: Add the core support field to METHOD_GET_CONTEXT	2020-01-16 15:55:46 -04:00
uverbs_std_types_dm.c	IB: When attrs.udata/ufile is available use that instead of uobject	2019-04-08 13:05:25 -03:00
uverbs_std_types_flow_action.c	IB: When attrs.udata/ufile is available use that instead of uobject	2019-04-08 13:05:25 -03:00
uverbs_std_types_mr.c	RDMA/core: Allow the ioctl layer to abort a fully created uobject	2020-05-21 20:10:46 -03:00
uverbs_std_types_qp.c	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
uverbs_std_types_srq.c	IB/uverbs: Introduce create/destroy SRQ commands over ioctl	2020-05-21 20:39:35 -03:00
uverbs_std_types_wq.c	IB/uverbs: Introduce create/destroy WQ commands over ioctl	2020-05-21 20:39:35 -03:00
uverbs_std_types.c	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
uverbs_uapi.c	IB/uverbs: Introduce create/destroy QP commands over ioctl	2020-05-21 20:39:36 -03:00
uverbs.h	IB/uverbs: Extend CQ to get its own asynchronous event FD	2020-05-21 20:34:53 -03:00
verbs.c	RDMA/core: Remove FMR device ops	2020-06-02 20:32:54 -03:00