From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:48744 "EHLO
	out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1753559AbcERRUQ (ORCPT
	<rfc822;stable@vger.kernel.org>); Wed, 18 May 2016 13:20:16 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.nyi.internal (Postfix) with ESMTP id 291D020D02
	for <stable@vger.kernel.org>; Wed, 18 May 2016 13:20:14 -0400 (EDT)
Date: Wed, 18 May 2016 10:20:12 -0700
From: Greg KH <greg@kroah.com>
To: Doug Ledford <dledford@redhat.com>
Cc: stable@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: Re: [PATCH] IB/security: Restrict use of the write() interface
Message-ID: <20160518172012.GA6879@kroah.com>
References: <02bf2ebafbc5d757c0d250d8e5fba3ebdc7393fd.1463590718.git.dledford@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <02bf2ebafbc5d757c0d250d8e5fba3ebdc7393fd.1463590718.git.dledford@redhat.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, May 18, 2016 at 12:58:38PM -0400, Doug Ledford wrote:
> From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> 
> The drivers/infiniband stack uses write() as a replacement for
> bi-directional ioctl().  This is not safe. There are ways to
> trigger write calls that result in the return structure that
> is normally written to user space being shunted off to user
> specified kernel memory instead.
> 
> For the immediate repair, detect and deny suspicious accesses to
> the write API.
> 
> For long term, update the user space libraries and the kernel API
> to something that doesn't present the same security vulnerabilities
> (likely a structured ioctl() interface).
> 
> The impacted uAPI interfaces are generally only available if
> hardware from drivers/infiniband is installed in the system.
> 
> Reported-by: Jann Horn <jann@thejh.net>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
> [ Expanded check to all known write() entry points ]
> Cc: stable@vger.kernel.org # 3.14.x
> Signed-off-by: Doug Ledford <dledford@redhat.com>
> [ Expanded to include removed ipath driver, and dropped non-existent
>   hfi1 driver ]
> ---
>  drivers/infiniband/core/ucm.c                |  4 ++++
>  drivers/infiniband/core/ucma.c               |  3 +++
>  drivers/infiniband/core/uverbs_main.c        |  5 +++++
>  drivers/infiniband/hw/ipath/ipath_file_ops.c |  5 +++++
>  drivers/infiniband/hw/qib/qib_file_ops.c     |  5 +++++
>  include/rdma/ib.h                            | 16 ++++++++++++++++
>  6 files changed, 38 insertions(+)

I don't understand, is this only for 3.14.x?  If so, what is the git
commit id in Linus's tree for this?

thanks,

greg k-h