Re: 4.13 ib_mthca NULL pointer dereference with OpenSM

[Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]

On Mon, Oct 30, 2017 at 10:24:35PM -0600, Jason Gunthorpe wrote:
> On Tue, Oct 31, 2017 at 03:16:42AM +0000, Parav Pandit wrote:
>
> > I am yet to review my below patch with Dan as he did most security
> > dev, but I suspect this might be the cause where rmpp list is not
> > initialized and mad processing is continued when security check
> > fails.
>
> This patch sure looks needed to me, ib_free_recv_mad touches
> rmpp_list, so if it needs initializion then it certainly has to be
> done earlier..

Right, it aligns with my analysis too.

>
> Adding the new return sure makes alot of sense as well..
>
> Hal, Ira, would you check this routine too? kernel oops's are bad..
>
> > diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
> > index f8f53bb..cb91245 100644
> > +++ b/drivers/infiniband/core/mad.c
> > @@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
> >         unsigned long flags;
> >         int ret;
> >
> > +       INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
> >         ret = ib_mad_enforce_security(mad_agent_priv,
> >                                       mad_recv_wc->wc->pkey_index);
> >         if (ret) {
> >                 ib_free_recv_mad(mad_recv_wc);
> >                 deref_mad_agent(mad_agent_priv);
> > +               return;
> >         }
> >
> > -       INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
> >         list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]