From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH rdma-rc 1/4] RDMA/mlx5: Fix out-of-bound access while querying AH Date: Mon, 15 Jan 2018 14:30:03 -0700 Message-ID: <20180115213003.GA6574@ziepe.ca> References: <20180112055842.23125-1-leon@kernel.org> <20180112055842.23125-2-leon@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20180112055842.23125-2-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> Sender: linux-rdma-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Leon Romanovsky Cc: Doug Ledford , RDMA mailing list , Bodong Wang , Jack Morgenstein , Parav Pandit , Leon Romanovsky List-Id: linux-rdma@vger.kernel.org On Fri, Jan 12, 2018 at 07:58:39AM +0200, Leon Romanovsky wrote: > From: Leon Romanovsky > > The rdma_ah_find_type() accesses the port array based on index. > > Such call to that function before actually checking the index leads > to the following out-of-bound crash. > > Disabling lock debugging due to kernel taint > > Cc: > Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types") > Signed-off-by: Leon Romanovsky > drivers/infiniband/hw/mlx5/qp.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) Applied to for-rc, I revised the commit message to draw attention that this can be triggered from userspace. Thanks, Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html