From: Leon Romanovsky <leonro@mellanox.com>
To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@mellanox.com>
Cc: Maor Gottlieb <maorg@mellanox.com>,
RDMA mailing list <linux-rdma@vger.kernel.org>,
Daniel Jurgens <danielj@mellanox.com>
Subject: Re: [PATCH rdma-next] RDMA/core: Fix protection fault in get_pkey_idx_qp_list
Date: Sun, 2 Feb 2020 11:33:08 +0200 [thread overview]
Message-ID: <20200202093308.GJ414821@unreal> (raw)
In-Reply-To: <20200126171553.4916-1-leon@kernel.org>
On Sun, Jan 26, 2020 at 07:15:53PM +0200, Leon Romanovsky wrote:
> From: Maor Gottlieb <maorg@mellanox.com>
>
> We don't need to set pkey as valid in case that user set only one
> of pkey index or port number, otherwise it will be resulted in NULL
> pointer dereference while accessing to uninitialized pkey list.
>
> The following crash from syzkaller revealed it.
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 1 PID: 14753 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> RIP: 0010:get_pkey_idx_qp_list+0x161/0x2d0
> Code: 01 00 00 49 8b 5e 20 4c 39 e3 0f 84 b9 00 00 00 e8 e4 42 6e fe 48
> 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04
> 02 84 c0 74 08 3c 01 0f 8e d0 00 00 00 48 8d 7d 04 48 b8
> RSP: 0018:ffffc9000bc6f950 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82c8bdec
> RDX: 0000000000000002 RSI: ffffc900030a8000 RDI: 0000000000000010
> RBP: ffff888112c8ce80 R08: 0000000000000004 R09: fffff5200178df1f
> R10: 0000000000000001 R11: fffff5200178df1f R12: ffff888115dc4430
> R13: ffff888115da8498 R14: ffff888115dc4410 R15: ffff888115da8000
> FS: 00007f20777de700(0000) GS:ffff88811b100000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2f721000 CR3: 00000001173ca002 CR4: 0000000000360ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> port_pkey_list_insert+0xd7/0x7c0
> ib_security_modify_qp+0x6fa/0xfc0
> _ib_modify_qp+0x8c4/0xbf0
> modify_qp+0x10da/0x16d0
> ib_uverbs_modify_qp+0x9a/0x100
> ib_uverbs_write+0xaa5/0xdf0
> __vfs_write+0x7c/0x100
> vfs_write+0x168/0x4a0
> ksys_write+0xc8/0x200
> do_syscall_64+0x9c/0x390
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Fixes: d291f1a652329 ("IB/core: Enforce PKey security on QPs")
> Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> ---
> drivers/infiniband/core/security.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
As Maor explained below, the code is correct, so what is the resolution here?
Thanks
next prev parent reply other threads:[~2020-02-02 9:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-26 17:15 [PATCH rdma-next] RDMA/core: Fix protection fault in get_pkey_idx_qp_list Leon Romanovsky
2020-01-29 12:06 ` Gal Pressman
2020-01-29 12:14 ` Maor Gottlieb
2020-01-29 12:43 ` Gal Pressman
2020-01-29 20:11 ` Jason Gunthorpe
2020-01-30 7:32 ` Maor Gottlieb
2020-02-02 9:33 ` Leon Romanovsky [this message]
2020-02-05 19:16 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200202093308.GJ414821@unreal \
--to=leonro@mellanox.com \
--cc=danielj@mellanox.com \
--cc=dledford@redhat.com \
--cc=jgg@mellanox.com \
--cc=linux-rdma@vger.kernel.org \
--cc=maorg@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.