From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
X-Cyrus-Session-Id: sloti22d1t05-1369136-1517180390-2-6397242879854092665
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-score: 0.0
X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.001, RCVD_IN_DNSWL_HI -5,
  T_RP_MATCHES_RCVD -0.01, LANGUAGES unknown, BAYES_USED global,
  SA_VERSION 3.4.0
X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US',
  FromHeader='com', MailFrom='org', XOriginatingCountry='US'
X-Spam-charsets: plain='iso-8859-1'
X-Resolved-to: greg@kroah.com
X-Delivered-to: greg@kroah.com
X-Mail-from: stable-owner@vger.kernel.org
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=arctest;
    t=1517180389; b=ky2OIcn3ojPF96F9rChN/c84QkeNHfA7do5tawANVcOs5RT
    VB/hmirrVAkF0jDx5ejX0GoVwMsXc4+iXsgqfwgTp6NJB7i/TvBw2mUR3gL88TjX
    MbsDP04t2fpaCXEsbiqgZ6Wm9wsSy4efOROgwXb+mebZ7y6sRmVPw8XCz/wHCq12
    OR1oov0T9Baf3+l5cv0Ure749pEHov4YAHy3+9+/WpkzzpMYoU9bj7sMZfHZZDzA
    gIdF0ygaoavNyKhNMv7h/gSfM6l3Wnu3h8TNbPOfpIsrKs+pzBNW7eb+VAZU+RUC
    x7aYtCkS/03IRP4u6gznhrBZAuMtyoREtrBRaUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=from:to:cc:subject:date:message-id
    :references:in-reply-to:content-type:content-transfer-encoding
    :mime-version:sender:list-id; s=arctest; t=1517180389; bh=RzJ0MF
    3+oueoXmP+SJSAjfVPbLPzY61FI7Cv63ChwIM=; b=ul/rjDMTS2uegvIkbxIA7n
    3eYo07scGPf016BfEZEQycgBhn/R2QHZVHt2fMcUCHga3YfgSDRmG76Ff4PQdhFC
    beWvx4CBEhoCvlhv/sUGdCUngT3wjs2IA37RobMh//TjGSKG8WSxRxa9G+MpN4pa
    jjk8bGQDqQgvCNmiolV5jmQzfFKCoty4C7fAo/Wr6ImFl910xMKbQz4xoff2bxLa
    jDUCqCx9h82GVfIsqWMSLZnRBeeZ98GTe8rGh/lpzx/LXUw317e6CG9Ng1K8kgAx
    jb4FviLPZYpv00KWHozKuSd/y3+sOwyKy/0q6aZ8HTpHkHk59d+QRgoWRCPMrl9Q
    ==
ARC-Authentication-Results: i=1; mx4.messagingengine.com; arc=none (no signatures found);
    dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=D/2ISu7U x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1;
    dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com;
    iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org);
    spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org;
    x-aligned-from=fail;
    x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org;
    x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes
Authentication-Results: mx4.messagingengine.com;
    arc=none (no signatures found);
    dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=D/2ISu7U x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1;
    dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com;
    iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org);
    spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org;
    x-aligned-from=fail;
    x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org;
    x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753896AbeA1W7e (ORCPT <rfc822;greg@kroah.com>);
        Sun, 28 Jan 2018 17:59:34 -0500
Received: from mail-bn3nam01on0113.outbound.protection.outlook.com ([104.47.33.113]:60480
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752827AbeA1W1x (ORCPT <rfc822;stable@vger.kernel.org>);
        Sun, 28 Jan 2018 17:27:53 -0500
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
CC: Leon Romanovsky <leonro@mellanox.com>,
        syzkaller <syzkaller@googlegroups.com>,
        Doug Ledford <dledford@redhat.com>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 086/100] RDMA/netlink: Fix general protection
 fault
Thread-Topic: [PATCH AUTOSEL for 4.14 086/100] RDMA/netlink: Fix general
 protection fault
Thread-Index: AQHTmIcak2sFoAfqxUGLNsdZF8doJg==
Date: Sun, 28 Jan 2018 22:26:55 +0000
Message-ID: <20180128222547.7398-86-alexander.levin@microsoft.com>
References: <20180128222547.7398-1-alexander.levin@microsoft.com>
In-Reply-To: <20180128222547.7398-1-alexander.levin@microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [52.168.54.252]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1018;7:6pd43TOL1w8WlQpwDk2Q/1xQWtahLLUYfsxzlozzhy/i1dQR/Fasew4cd2uT1YVNa/qNHemT/Ba3tHqNf8JL8/nQpNWRO3GCsUUws5+d82TZZIfjuVATVpUfTG9vfFSzoCMXCnGIgzYNFsaLp0I3Fy/pCtBnheeg4tNewtosoDAWtxVOx51GWtd1ZbpCcB5efHHv0uRodrIayemRtksdIvtcNlpVZPcdfFXhYWeGVA4pbEScH3ybQoOJRllnE13G
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b161c948-f7bf-4ecf-99a1-08d5669e59de
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1018;
x-ms-traffictypediagnostic: MW2PR2101MB1018:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Alexander.Levin@microsoft.com;
x-microsoft-antispam-prvs: <MW2PR2101MB10183FC3288419B250BF7A24FBE60@MW2PR2101MB1018.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(215639381216008)(89211679590171);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(61425038)(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231101)(944501161)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011);SRVR:MW2PR2101MB1018;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1018;
x-forefront-prvs: 05669A7924
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(39380400002)(39860400002)(366004)(346002)(376002)(199004)(189003)(53936002)(2501003)(6436002)(575784001)(86362001)(6486002)(5250100002)(26005)(102836004)(6512007)(59450400001)(76176011)(6116002)(2900100001)(3846002)(36756003)(305945005)(7736002)(316002)(3660700001)(22452003)(3280700002)(54906003)(110136005)(99286004)(186003)(97736004)(1076002)(86612001)(81166006)(6666003)(2906002)(106356001)(14454004)(66066001)(4326008)(68736007)(5660300001)(25786009)(8936002)(10290500003)(81156014)(72206003)(107886003)(10090500001)(478600001)(2950100002)(105586002)(8676002)(6506007)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1018;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
x-microsoft-antispam-message-info: dB1ROLd9QKqwU1ADAWO6z/mah31BySp3yzmqJlYhZO9QN9Zird9WGS9KWpvNlLZn/n3C7YFSEM2GmGGkcM6uXA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b161c948-f7bf-4ecf-99a1-08d5669e59de
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2018 22:26:55.4993
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1018
Sender: stable-owner@vger.kernel.org
X-Mailing-List: stable@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

From: Leon Romanovsky <leonro@mellanox.com>

[ Upstream commit d0e312fe3d34c1bc014a7f8ec6540d05e8077483 ]

The RDMA netlink core code checks validity of messages by ensuring
that type and operand are in range. It works well for almost all
clients except NLDEV, which has cb_table less than number of operands.

Request to access such operand will trigger the following kernel panic.

This patch updates all places where cb_table is declared for the
consistency, but only NLDEV is actually need it.

general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 522 Comm: syz-executor6 Not tainted 4.13.0+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge5=
1488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
task: ffff8800657799c0 task.stack: ffff8800695d000
RIP: 0010:rdma_nl_rcv_msg+0x13a/0x4c0
RSP: 0018:ffff8800695d7838 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 1ffff1000d2baf0b RCX: 00000000704ff4d7
RDX: 0000000000000000 RSI: ffffffff81ddb03c RDI: 00000003827fa6bc
RBP: ffff8800695d7900 R08: ffffffff82ec0578 R09: 0000000000000000
R10: ffff8800695d7900 R11: 0000000000000001 R12: 000000000000001c
R13: ffff880069d31e00 R14: 00000000ffffffff R15: ffff880069d357c0
FS:  00007fee6acb8700(0000) GS:ffff88006ca00000(0000) knlGS:000000000000000=
0
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000201a9000 CR3: 0000000059766000 CR4: 00000000000006b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? rdma_nl_multicast+0x80/0x80
 rdma_nl_rcv+0x36b/0x4d0
 ? ibnl_put_attr+0xc0/0xc0
 netlink_unicast+0x4bd/0x6d0
 ? netlink_sendskb+0x50/0x50
 ? drop_futex_key_refs.isra.4+0x68/0xb0
 netlink_sendmsg+0x9ab/0xbd0
 ? nlmsg_notify+0x140/0x140
 ? wake_up_q+0xa1/0xf0
 ? drop_futex_key_refs.isra.4+0x68/0xb0
 sock_sendmsg+0x88/0xd0
 sock_write_iter+0x228/0x3c0
 ? sock_sendmsg+0xd0/0xd0
 ? do_futex+0x3e5/0xb20
 ? iov_iter_init+0xaf/0x1d0
 __vfs_write+0x46e/0x640
 ? sched_clock_cpu+0x1b/0x190
 ? __vfs_read+0x620/0x620
 ? __fget+0x23a/0x390
 ? rw_verify_area+0xca/0x290
 vfs_write+0x192/0x490
 SyS_write+0xde/0x1c0
 ? SyS_read+0x1c0/0x1c0
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL_64_fastpath+0x18/0xad
RIP: 0033:0x7fee6a74a219
RSP: 002b:00007fee6acb7d58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000638000 RCX: 00007fee6a74a219
RDX: 0000000000000078 RSI: 0000000020141000 RDI: 0000000000000006
RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: ffff8800695d7f98
R13: 0000000020141000 R14: 0000000000000006 R15: 00000000ffffffff
Code: d6 48 b8 00 00 00 00 00 fc ff df 66 41 81 e4 ff 03 44 8d 72 ff 4a 8d =
3c b5 c0 a6 7f 82 44 89 b5 4c ff ff ff 48 89 f9 48 c1 e9 03 <0f> b6 0c 01 4=
8 89 f8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85
RIP: rdma_nl_rcv_msg+0x13a/0x4c0 RSP: ffff8800695d7838
---[ end trace ba085d123959c8ec ]---
Kernel panic - not syncing: Fatal exception

Cc: syzkaller <syzkaller@googlegroups.com>
Fixes: b4c598a67ea1 ("RDMA/netlink: Implement nldev device dumpit calback")
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>

Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/infiniband/core/cma.c    | 2 +-
 drivers/infiniband/core/device.c | 2 +-
 drivers/infiniband/core/iwcm.c   | 2 +-
 drivers/infiniband/core/nldev.c  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 09063f0d86d2..e457dface2d2 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -4462,7 +4462,7 @@ static int cma_get_id_stats(struct sk_buff *skb, stru=
ct netlink_callback *cb)
 	return skb->len;
 }
=20
-static const struct rdma_nl_cbs cma_cb_table[] =3D {
+static const struct rdma_nl_cbs cma_cb_table[RDMA_NL_RDMA_CM_NUM_OPS] =3D =
{
 	[RDMA_NL_RDMA_CM_ID_STATS] =3D { .dump =3D cma_get_id_stats},
 };
=20
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/dev=
ice.c
index 5e1be4949d5f..30914f3baa5f 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -1146,7 +1146,7 @@ struct net_device *ib_get_net_dev_by_params(struct ib=
_device *dev,
 }
 EXPORT_SYMBOL(ib_get_net_dev_by_params);
=20
-static const struct rdma_nl_cbs ibnl_ls_cb_table[] =3D {
+static const struct rdma_nl_cbs ibnl_ls_cb_table[RDMA_NL_LS_NUM_OPS] =3D {
 	[RDMA_NL_LS_OP_RESOLVE] =3D {
 		.doit =3D ib_nl_handle_resolve_resp,
 		.flags =3D RDMA_NL_ADMIN_PERM,
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.=
c
index fcf42f6bb82a..30d7277249b8 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -80,7 +80,7 @@ const char *__attribute_const__ iwcm_reject_msg(int reaso=
n)
 }
 EXPORT_SYMBOL(iwcm_reject_msg);
=20
-static struct rdma_nl_cbs iwcm_nl_cb_table[] =3D {
+static struct rdma_nl_cbs iwcm_nl_cb_table[RDMA_NL_IWPM_NUM_OPS] =3D {
 	[RDMA_NL_IWPM_REG_PID] =3D {.dump =3D iwpm_register_pid_cb},
 	[RDMA_NL_IWPM_ADD_MAPPING] =3D {.dump =3D iwpm_add_mapping_cb},
 	[RDMA_NL_IWPM_QUERY_MAPPING] =3D {.dump =3D iwpm_add_and_query_mapping_cb=
},
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nlde=
v.c
index 2fae850a3eff..9a05245a1acf 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -303,7 +303,7 @@ out:	cb->args[0] =3D idx;
 	return skb->len;
 }
=20
-static const struct rdma_nl_cbs nldev_cb_table[] =3D {
+static const struct rdma_nl_cbs nldev_cb_table[RDMA_NLDEV_NUM_OPS] =3D {
 	[RDMA_NLDEV_CMD_GET] =3D {
 		.doit =3D nldev_get_doit,
 		.dump =3D nldev_get_dumpit,
--=20
2.11.0