From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Christopher Bednarz <christopher.n.bednarz@intel.com>,
Shiraz Saleem <shiraz.saleem@intel.com>,
Leon Romanovsky <leon@kernel.org>
Subject: [PATCH 4.14 01/30] RDMA/irdma: Prevent zero-length STAG registration
Date: Tue, 5 Dec 2023 12:16:08 +0900 [thread overview]
Message-ID: <20231205031511.571552355@linuxfoundation.org> (raw)
In-Reply-To: <20231205031511.476698159@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher Bednarz <christopher.n.bednarz@intel.com>
commit bb6d73d9add68ad270888db327514384dfa44958 upstream.
Currently irdma allows zero-length STAGs to be programmed in HW during
the kernel mode fast register flow. Zero-length MR or STAG registration
disable HW memory length checks.
Improve gaps in bounds checking in irdma by preventing zero-length STAG or
MR registrations except if the IB_PD_UNSAFE_GLOBAL_RKEY is set.
This addresses the disclosure CVE-2023-25775.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Christopher Bednarz <christopher.n.bednarz@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Link: https://lore.kernel.org/r/20230818144838.1758-1-shiraz.saleem@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 ++++++
drivers/infiniband/hw/i40iw/i40iw_type.h | 2 ++
drivers/infiniband/hw/i40iw/i40iw_verbs.c | 10 ++++++++--
3 files changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
@@ -2853,6 +2853,9 @@ static enum i40iw_status_code i40iw_sc_a
u64 header;
enum i40iw_page_size page_size;
+ if (!info->total_len && !info->all_memory)
+ return -EINVAL;
+
page_size = (info->page_size == 0x200000) ? I40IW_PAGE_SIZE_2M : I40IW_PAGE_SIZE_4K;
cqp = dev->cqp;
wqe = i40iw_sc_cqp_get_next_send_wqe(cqp, scratch);
@@ -2911,6 +2914,9 @@ static enum i40iw_status_code i40iw_sc_m
u8 addr_type;
enum i40iw_page_size page_size;
+ if (!info->total_len && !info->all_memory)
+ return -EINVAL;
+
page_size = (info->page_size == 0x200000) ? I40IW_PAGE_SIZE_2M : I40IW_PAGE_SIZE_4K;
if (info->access_rights & (I40IW_ACCESS_FLAGS_REMOTEREAD_ONLY |
I40IW_ACCESS_FLAGS_REMOTEWRITE_ONLY))
--- a/drivers/infiniband/hw/i40iw/i40iw_type.h
+++ b/drivers/infiniband/hw/i40iw/i40iw_type.h
@@ -780,6 +780,7 @@ struct i40iw_allocate_stag_info {
bool use_hmc_fcn_index;
u8 hmc_fcn_index;
bool use_pf_rid;
+ bool all_memory;
};
struct i40iw_reg_ns_stag_info {
@@ -798,6 +799,7 @@ struct i40iw_reg_ns_stag_info {
bool use_hmc_fcn_index;
u8 hmc_fcn_index;
bool use_pf_rid;
+ bool all_memory;
};
struct i40iw_fast_reg_stag_info {
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -1579,7 +1579,8 @@ static int i40iw_handle_q_mem(struct i40
static int i40iw_hw_alloc_stag(struct i40iw_device *iwdev, struct i40iw_mr *iwmr)
{
struct i40iw_allocate_stag_info *info;
- struct i40iw_pd *iwpd = to_iwpd(iwmr->ibmr.pd);
+ struct ib_pd *pd = iwmr->ibmr.pd;
+ struct i40iw_pd *iwpd = to_iwpd(pd);
enum i40iw_status_code status;
int err = 0;
struct i40iw_cqp_request *cqp_request;
@@ -1596,6 +1597,7 @@ static int i40iw_hw_alloc_stag(struct i4
info->stag_idx = iwmr->stag >> I40IW_CQPSQ_STAG_IDX_SHIFT;
info->pd_id = iwpd->sc_pd.pd_id;
info->total_len = iwmr->length;
+ info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
info->remote_access = true;
cqp_info->cqp_cmd = OP_ALLOC_STAG;
cqp_info->post_sq = 1;
@@ -1649,6 +1651,8 @@ static struct ib_mr *i40iw_alloc_mr(stru
iwmr->type = IW_MEMREG_TYPE_MEM;
palloc = &iwpbl->pble_alloc;
iwmr->page_cnt = max_num_sg;
+ /* Use system PAGE_SIZE as the sg page sizes are unknown at this point */
+ iwmr->length = max_num_sg * PAGE_SIZE;
mutex_lock(&iwdev->pbl_mutex);
status = i40iw_get_pble(&iwdev->sc_dev, iwdev->pble_rsrc, palloc, iwmr->page_cnt);
mutex_unlock(&iwdev->pbl_mutex);
@@ -1745,7 +1749,8 @@ static int i40iw_hwreg_mr(struct i40iw_d
{
struct i40iw_pbl *iwpbl = &iwmr->iwpbl;
struct i40iw_reg_ns_stag_info *stag_info;
- struct i40iw_pd *iwpd = to_iwpd(iwmr->ibmr.pd);
+ struct ib_pd *pd = iwmr->ibmr.pd;
+ struct i40iw_pd *iwpd = to_iwpd(pd);
struct i40iw_pble_alloc *palloc = &iwpbl->pble_alloc;
enum i40iw_status_code status;
int err = 0;
@@ -1765,6 +1770,7 @@ static int i40iw_hwreg_mr(struct i40iw_d
stag_info->total_len = iwmr->length;
stag_info->access_rights = access;
stag_info->pd_id = iwpd->sc_pd.pd_id;
+ stag_info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
stag_info->addr_type = I40IW_ADDR_TYPE_VA_BASED;
stag_info->page_size = iwmr->page_size;
next prev parent reply other threads:[~2023-12-05 3:18 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:16 [PATCH 4.14 00/30] 4.14.332-rc1 review Greg Kroah-Hartman
2023-12-05 3:16 ` Greg Kroah-Hartman [this message]
2023-12-05 3:16 ` [PATCH 4.14 02/30] drm/panel: simple: Fix Innolux G101ICE-L01 timings Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 03/30] ata: pata_isapnp: Add missing error check for devm_ioport_map() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 04/30] drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 05/30] ipv4: Correct/silence an endian warning in __ip_do_redirect Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 06/30] net: usb: ax88179_178a: fix failed operations during ax88179_reset Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 07/30] arm/xen: fix xen_vcpu_info allocation alignment Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 08/30] amd-xgbe: handle corner-case during sfp hotplug Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 09/30] amd-xgbe: propagate the correct speed and duplex status Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 10/30] net: axienet: Fix check for partial TX checksum Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 11/30] mtd: rawnand: brcmnand: Fix ecc chunk calculation for erased page bitfips Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 12/30] s390/dasd: protect device queue against concurrent access Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 13/30] USB: serial: option: add Luat Air72*U series products Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 14/30] bcache: check return value from btree_node_alloc_replacement() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 15/30] bcache: prevent potential division by zero error Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 16/30] USB: serial: option: add Fibocom L7xx modules Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 17/30] USB: serial: option: fix FM101R-GL defines Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 18/30] USB: serial: option: dont claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 19/30] usb: dwc3: set the dma max_seg_size Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 20/30] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 21/30] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 22/30] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 23/30] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 24/30] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 25/30] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 26/30] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 27/30] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 28/30] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 29/30] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 4.14 30/30] driver core: Release all resources during unbind before updating device links Greg Kroah-Hartman
2023-12-05 9:10 ` [PATCH 4.14 00/30] 4.14.332-rc1 review Harshit Mogalapalli
2023-12-05 10:37 ` Pavel Machek
2023-12-05 11:09 ` Jon Hunter
2023-12-05 14:01 ` Naresh Kamboju
2023-12-05 16:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031511.571552355@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=christopher.n.bednarz@intel.com \
--cc=leon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=shiraz.saleem@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.