From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Bart Van Assche <bart.vanassche@wdc.com>,
Moni Shoua <monis@mellanox.com>,
Jason Gunthorpe <jgg@mellanox.com>
Subject: [PATCH 4.9 40/95] RDMA/rxe: Fix an out-of-bounds read
Date: Sun, 22 Apr 2018 15:53:09 +0200 [thread overview]
Message-ID: <20180422135212.060555766@linuxfoundation.org> (raw)
In-Reply-To: <20180422135210.432103639@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit a6544a624c3ff92a64e4aca3931fa064607bd3da upstream.
This patch avoids that KASAN reports the following when the SRP initiator
calls srp_post_send():
==================================================================
BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x5c4/0x980 [rdma_rxe]
Read of size 8 at addr ffff880066606e30 by task 02-mq/1074
CPU: 2 PID: 1074 Comm: 02-mq Not tainted 4.16.0-rc3-dbg+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
dump_stack+0x85/0xc7
print_address_description+0x65/0x270
kasan_report+0x231/0x350
rxe_post_send+0x5c4/0x980 [rdma_rxe]
srp_post_send.isra.16+0x149/0x190 [ib_srp]
srp_queuecommand+0x94d/0x1670 [ib_srp]
scsi_dispatch_cmd+0x1c2/0x550 [scsi_mod]
scsi_queue_rq+0x843/0xa70 [scsi_mod]
blk_mq_dispatch_rq_list+0x143/0xac0
blk_mq_do_dispatch_ctx+0x1c5/0x260
blk_mq_sched_dispatch_requests+0x2bf/0x2f0
__blk_mq_run_hw_queue+0xdb/0x160
__blk_mq_delay_run_hw_queue+0xba/0x100
blk_mq_run_hw_queue+0xf2/0x190
blk_mq_sched_insert_request+0x163/0x2f0
blk_execute_rq+0xb0/0x130
scsi_execute+0x14e/0x260 [scsi_mod]
scsi_probe_and_add_lun+0x366/0x13d0 [scsi_mod]
__scsi_scan_target+0x18a/0x810 [scsi_mod]
scsi_scan_target+0x11e/0x130 [scsi_mod]
srp_create_target+0x1522/0x19e0 [ib_srp]
kernfs_fop_write+0x180/0x210
__vfs_write+0xb1/0x2e0
vfs_write+0xf6/0x250
SyS_write+0x99/0x110
do_syscall_64+0xee/0x2b0
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the page:
page:ffffea0001998180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880066606d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
ffff880066606d80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2
>ffff880066606e00: f2 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00
^
ffff880066606e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880066606f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Moni Shoua <monis@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -747,9 +747,8 @@ static int init_send_wqe(struct rxe_qp *
memcpy(wqe->dma.sge, ibwr->sg_list,
num_sge * sizeof(struct ib_sge));
- wqe->iova = (mask & WR_ATOMIC_MASK) ?
- atomic_wr(ibwr)->remote_addr :
- rdma_wr(ibwr)->remote_addr;
+ wqe->iova = mask & WR_ATOMIC_MASK ? atomic_wr(ibwr)->remote_addr :
+ mask & WR_READ_OR_WRITE_MASK ? rdma_wr(ibwr)->remote_addr : 0;
wqe->mask = mask;
wqe->dma.length = length;
wqe->dma.resid = length;
next prev parent reply other threads:[~2018-04-22 13:53 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-22 13:52 [PATCH 4.9 00/95] 4.9.96-stable review Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 01/95] tty: make n_tty_read() always abort if hangup is in progress Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 02/95] ubifs: Check ubifs_wbuf_sync() return code Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 03/95] ubi: fastmap: Dont flush fastmap work on detach Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 04/95] ubi: Fix error for write access Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 05/95] ubi: Reject MLC NAND Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 06/95] fs/reiserfs/journal.c: add missing resierfs_warning() arg Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 07/95] resource: fix integer overflow at reallocation Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 08/95] ipc/shm: fix use-after-free of shm file via remap_file_pages() Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 09/95] mm, slab: reschedule cache_reap() on the same CPU Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 10/95] usb: musb: gadget: misplaced out of bounds check Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 11/95] usb: gadget: udc: core: update usb_ep_queue() documentation Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 12/95] ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 13/95] ARM: dts: exynos: Fix IOMMU support for GScaler devices on Exynos5250 Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 14/95] ARM: dts: at91: sama5d4: fix pinctrl compatible string Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 15/95] spi: Fix scatterlist elements size in spi_map_buf Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 16/95] xen-netfront: Fix hang on device removal Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 17/95] regmap: Fix reversed bounds check in regmap_raw_write() Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 18/95] ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 19/95] ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 20/95] USB: gadget: f_midi: fixing a possible double-free in f_midi Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 22/95] usb: dwc3: pci: Properly cleanup resource Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 23/95] smb3: Fix root directory when server returns inode number of zero Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 24/95] HID: i2c-hid: fix size check and type usage Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 25/95] powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 26/95] powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 27/95] powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 28/95] HID: Fix hid_report_len usage Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 29/95] HID: core: Fix size as type u32 Greg Kroah-Hartman
2018-04-22 13:52 ` [PATCH 4.9 30/95] ASoC: ssm2602: Replace reg_default_raw with reg_default Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 31/95] thunderbolt: Resume control channel after hibernation image is created Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 32/95] irqchip/gic: Take lock when updating irq type Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 33/95] random: use a tighter cap in credit_entropy_bits_safe() Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 34/95] jbd2: if the journal is aborted then dont allow update of the log tail Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 35/95] ext4: dont update checksum of new initialized bitmaps Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 36/95] ext4: protect i_disksize update by i_data_sem in direct write path Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 37/95] ext4: add validity checks for bitmap block numbers Greg Kroah-Hartman
2018-04-22 21:54 ` Ben Hutchings
2018-04-23 6:03 ` Theodore Y. Ts'o
2018-04-23 7:13 ` Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 38/95] ext4: fail ext4_iget for root directory if unallocated Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 39/95] RDMA/ucma: Dont allow setting RDMA_OPTION_IB_PATH without an RDMA device Greg Kroah-Hartman
2018-04-22 13:53 ` Greg Kroah-Hartman [this message]
2018-04-22 13:53 ` [PATCH 4.9 41/95] ALSA: pcm: Fix UAF at PCM release via PCM timer access Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 42/95] IB/srp: Fix srp_abort() Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 43/95] IB/srp: Fix completion vector assignment algorithm Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 44/95] dmaengine: at_xdmac: fix rare residue corruption Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 45/95] libnvdimm, namespace: use a safe lookup for dimm device name Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 46/95] nfit, address-range-scrub: fix scrub in-progress reporting Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 47/95] um: Compile with modern headers Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 48/95] um: Use POSIX ucontext_t instead of struct ucontext Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 49/95] iommu/vt-d: Fix a potential memory leak Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 50/95] mmc: jz4740: Fix race condition in IRQ mask update Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 51/95] clk: mvebu: armada-38x: add support for 1866MHz variants Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 52/95] clk: mvebu: armada-38x: add support for missing clocks Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 53/95] clk: fix false-positive Wmaybe-uninitialized warning Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 54/95] clk: bcm2835: De-assert/assert PLL reset signal when appropriate Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 55/95] pwm: rcar: Fix a condition to prevent mismatch value setting to duty Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 56/95] thermal: imx: Fix race condition in imx_thermal_probe() Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 57/95] dt-bindings: clock: mediatek: add binding for fixed-factor clock axisel_d4 Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 58/95] watchdog: f71808e_wdt: Fix WD_EN register read Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 59/95] vfio/pci: Virtualize Maximum Read Request Size Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 60/95] ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 61/95] ALSA: pcm: Avoid potential races between OSS ioctls and read/write Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 62/95] ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 63/95] ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 64/95] ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 65/95] ext4: dont allow r/w mounts if metadata blocks overlap the superblock Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 66/95] drm/amdgpu: Add an ATPX quirk for hybrid laptop Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 69/95] drm/rockchip: Clear all interrupts before requesting the IRQ Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 72/95] ALSA: rawmidi: Fix missing input substream checks in compat ioctls Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 73/95] ALSA: hda - New VIA controller suppor no-snoop path Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 74/95] random: fix crng_ready() test Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 75/95] random: set up the NUMA crng instances after the CRNG is fully initialized Greg Kroah-Hartman
2018-04-22 22:28 ` Ben Hutchings
2018-04-23 7:15 ` Greg Kroah-Hartman
2018-04-23 10:21 ` Tetsuo Handa
2018-04-23 15:56 ` Theodore Y. Ts'o
2018-04-23 18:01 ` Greg KH
2018-04-26 6:04 ` Ingo Molnar
2018-04-26 6:46 ` Tetsuo Handa
2018-04-26 6:53 ` Tetsuo Handa
2018-04-26 17:29 ` Theodore Y. Ts'o
2018-04-27 9:44 ` Ingo Molnar
2018-04-23 7:21 ` Salvatore Bonaccorso
2018-04-23 18:11 ` Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 76/95] random: crng_reseed() should lock the crng instance that it is modifying Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 77/95] random: add new ioctl RNDRESEEDCRNG Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 78/95] HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 79/95] MIPS: uaccess: Add micromips clobbers to bzero invocation Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 80/95] MIPS: memset.S: EVA & fault support for small_memset Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 81/95] MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 82/95] MIPS: memset.S: Fix clobber of v1 in last_fixup Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 83/95] powerpc/eeh: Fix enabling bridge MMIO windows Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 84/95] powerpc/lib: Fix off-by-one in alternate feature patching Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 85/95] udf: Fix leak of UTF-16 surrogates into encoded strings Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 86/95] jffs2_kill_sb(): deal with failed allocations Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 87/95] hypfs_kill_super(): " Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 88/95] orangefs_kill_sb(): deal with allocation failures Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 89/95] rpc_pipefs: fix double-dput() Greg Kroah-Hartman
2018-04-22 13:53 ` [PATCH 4.9 90/95] Dont leak MNT_INTERNAL away from internal mounts Greg Kroah-Hartman
2018-04-22 13:54 ` [PATCH 4.9 91/95] autofs: mount point create should honour passed in mode Greg Kroah-Hartman
2018-04-22 13:54 ` [PATCH 4.9 92/95] mm/filemap.c: fix NULL pointer in page_cache_tree_insert() Greg Kroah-Hartman
2018-04-22 13:54 ` [PATCH 4.9 93/95] fanotify: fix logic of events on child Greg Kroah-Hartman
2018-04-22 13:54 ` [PATCH 4.9 94/95] writeback: safer lock nesting Greg Kroah-Hartman
2018-04-22 13:54 ` [PATCH 4.9 95/95] block/mq: fix potential deadlock during cpu hotplug Greg Kroah-Hartman
2018-04-23 9:54 ` [PATCH 4.9 00/95] 4.9.96-stable review Naresh Kamboju
2018-04-23 16:53 ` Guenter Roeck
2018-04-23 16:53 ` Naresh Kamboju
2018-04-23 16:57 ` Greg Kroah-Hartman
2018-04-23 18:01 ` Greg Kroah-Hartman
2018-04-23 22:25 ` Dan Rue
2018-04-24 7:26 ` Greg Kroah-Hartman
2018-04-24 17:23 ` Dan Rue
2018-04-24 17:35 ` Mark Brown
2018-04-24 17:46 ` Guenter Roeck
2018-04-23 18:04 ` Greg Kroah-Hartman
2018-04-24 0:41 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180422135212.060555766@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bart.vanassche@wdc.com \
--cc=jgg@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=monis@mellanox.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).