Re: [PATCH rdma-rc] RDMA/core: Prevent divide-by-zero error triggered by the user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: Doug Ledford <dledford@redhat.com>,
	Leon Romanovsky <leonro@nvidia.com>,
	Avihai Horon <avihaih@nvidia.com>,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: Re: [PATCH rdma-rc] RDMA/core: Prevent divide-by-zero error triggered by the user
Date: Mon, 10 May 2021 16:22:29 -0300	[thread overview]
Message-ID: <20210510192229.GC1121391@nvidia.com> (raw)
In-Reply-To: <b971cc70a8b240a8b5eda33c99fa0558a0071be2.1620657876.git.leonro@nvidia.com>

On Mon, May 10, 2021 at 05:46:00PM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
> 
> The user_entry_size is supplied by the user and later used as a
> denominator to calculate number of entries. The zero supplied by
> the user will trigger the following divide-by-zero error:
> 
>  divide error: 0000 [#1] SMP KASAN PTI
>  CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
>  RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510
>  Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b
>  RSP: 0018:ffff88810416f828 EFLAGS: 00010246
>  RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d
>  RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000
>  RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f
>  R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000
>  R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0
>  FS:  00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0
>  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>  Call Trace:
>   ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0
>   ? __radix_tree_lookup+0x190/0x190
>   ? write_comp_data+0x2a/0x80
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? __bitmap_subset+0x9a/0x130
>   ib_uverbs_cmd_verbs+0x1546/0x1940
>   ? __kernel_text_address+0xe/0x30
>   ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0
>   ? uverbs_fill_udata+0x510/0x510
>   ? putname+0xa8/0xc0
>   ? kasan_set_free_info+0x20/0x30
>   ? __kasan_slab_free+0xed/0x130
>   ? kmem_cache_free+0x94/0x410
>   ? putname+0xa8/0xc0
>   ? do_sys_openat2+0x477/0x780
>   ? do_sys_open+0xc8/0x150
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? restore_nameidata+0x8a/0xb0
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? do_filp_open+0x166/0x1f0
>   ? should_fail+0x78/0x2a0
>   ? may_open_dev+0x80/0x80
>   ? write_comp_data+0x2a/0x80
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ib_uverbs_ioctl+0x186/0x240
>   ? ib_uverbs_cmd_verbs+0x1940/0x1940
>   ? fsnotify+0xba0/0xba0
>   ? write_comp_data+0x2a/0x80
>   ? write_comp_data+0x2a/0x80
>   ? ib_uverbs_cmd_verbs+0x1940/0x1940
>   __x64_sys_ioctl+0x38a/0x1220
>   ? generic_block_fiemap+0x60/0x60
>   ? putname+0xa8/0xc0
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? do_sys_openat2+0x47c/0x780
>   ? file_open_root+0x420/0x420
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? cgroup_rstat_updated+0x66/0x1a0
>   ? do_sys_open+0xc8/0x150
>   ? filp_open+0x80/0x80
>   ? write_comp_data+0x2a/0x80
>   ? fpregs_assert_state_consistent+0x90/0xa0
>   ? __sanitizer_cov_trace_pc+0x1d/0x50
>   ? exit_to_user_mode_prepare+0x35/0x160
>   do_syscall_64+0x3f/0x80
>   entry_SYSCALL_64_after_hwframe+0x44/0xae
>  RIP: 0033:0x7f5715ff0f59
>  Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
>  RSP: 002b:00007ffd33031858 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
>  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5715ff0f59
>  RDX: 0000000020000180 RSI: 00000000c0181b01 RDI: 0000000000000003
>  RBP: 00007ffd33031870 R08: 00007ffd33031950 R09: 00007ffd33031950
>  R10: 0000000000000000 R11: 0000000000000213 R12: 0000558a0989b060
>  R13: 00007ffd33031950 R14: 0000000000000000 R15: 0000000000000000
>  Modules linked in:
>  Dumping ftrace buffer:
>     (ftrace buffer empty)
>  ---[ end trace 7776f38b0b269133 ]---
>  RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510
>  Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b
>  RSP: 0018:ffff88810416f828 EFLAGS: 00010246
>  RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d
>  RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000
>  RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f
>  R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000
>  R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0
>  FS:  00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0
>  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>  Kernel panic - not syncing: Fatal exception
>  Dumping ftrace buffer:
>     (ftrace buffer empty)
>  Kernel Offset: disabled
>  Rebooting in 1 seconds..
> 
> Fixes: 9f85cbe50aa0 ("RDMA/uverbs: Expose the new GID query API to user space")
> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> ---
>  drivers/infiniband/core/uverbs_std_types_device.c | 3 +++
>  1 file changed, 3 insertions(+)

Applied to for-rc, thanks

Jason

     prev parent reply	other threads:[~2021-05-10 19:22 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-10 14:46 [PATCH rdma-rc] RDMA/core: Prevent divide-by-zero error triggered by the user Leon Romanovsky
2021-05-10 19:22 ` Jason Gunthorpe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210510192229.GC1121391@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=avihaih@nvidia.com \
    --cc=dledford@redhat.com \
    --cc=leon@kernel.org \
    --cc=leonro@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.