From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Christopher Bednarz <christopher.n.bednarz@intel.com>,
Shiraz Saleem <shiraz.saleem@intel.com>,
Leon Romanovsky <leon@kernel.org>
Subject: [PATCH 5.4 02/94] RDMA/irdma: Prevent zero-length STAG registration
Date: Tue, 5 Dec 2023 12:16:30 +0900 [thread overview]
Message-ID: <20231205031522.983727103@linuxfoundation.org> (raw)
In-Reply-To: <20231205031522.815119918@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christopher Bednarz <christopher.n.bednarz@intel.com>
commit bb6d73d9add68ad270888db327514384dfa44958 upstream.
Currently irdma allows zero-length STAGs to be programmed in HW during
the kernel mode fast register flow. Zero-length MR or STAG registration
disable HW memory length checks.
Improve gaps in bounds checking in irdma by preventing zero-length STAG or
MR registrations except if the IB_PD_UNSAFE_GLOBAL_RKEY is set.
This addresses the disclosure CVE-2023-25775.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Christopher Bednarz <christopher.n.bednarz@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Link: https://lore.kernel.org/r/20230818144838.1758-1-shiraz.saleem@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 ++++++
drivers/infiniband/hw/i40iw/i40iw_type.h | 2 ++
drivers/infiniband/hw/i40iw/i40iw_verbs.c | 10 ++++++++--
3 files changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
@@ -2945,6 +2945,9 @@ static enum i40iw_status_code i40iw_sc_a
u64 header;
enum i40iw_page_size page_size;
+ if (!info->total_len && !info->all_memory)
+ return -EINVAL;
+
page_size = (info->page_size == 0x200000) ? I40IW_PAGE_SIZE_2M : I40IW_PAGE_SIZE_4K;
cqp = dev->cqp;
wqe = i40iw_sc_cqp_get_next_send_wqe(cqp, scratch);
@@ -3003,6 +3006,9 @@ static enum i40iw_status_code i40iw_sc_m
u8 addr_type;
enum i40iw_page_size page_size;
+ if (!info->total_len && !info->all_memory)
+ return -EINVAL;
+
page_size = (info->page_size == 0x200000) ? I40IW_PAGE_SIZE_2M : I40IW_PAGE_SIZE_4K;
if (info->access_rights & (I40IW_ACCESS_FLAGS_REMOTEREAD_ONLY |
I40IW_ACCESS_FLAGS_REMOTEWRITE_ONLY))
--- a/drivers/infiniband/hw/i40iw/i40iw_type.h
+++ b/drivers/infiniband/hw/i40iw/i40iw_type.h
@@ -779,6 +779,7 @@ struct i40iw_allocate_stag_info {
bool use_hmc_fcn_index;
u8 hmc_fcn_index;
bool use_pf_rid;
+ bool all_memory;
};
struct i40iw_reg_ns_stag_info {
@@ -797,6 +798,7 @@ struct i40iw_reg_ns_stag_info {
bool use_hmc_fcn_index;
u8 hmc_fcn_index;
bool use_pf_rid;
+ bool all_memory;
};
struct i40iw_fast_reg_stag_info {
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -1500,7 +1500,8 @@ static int i40iw_handle_q_mem(struct i40
static int i40iw_hw_alloc_stag(struct i40iw_device *iwdev, struct i40iw_mr *iwmr)
{
struct i40iw_allocate_stag_info *info;
- struct i40iw_pd *iwpd = to_iwpd(iwmr->ibmr.pd);
+ struct ib_pd *pd = iwmr->ibmr.pd;
+ struct i40iw_pd *iwpd = to_iwpd(pd);
enum i40iw_status_code status;
int err = 0;
struct i40iw_cqp_request *cqp_request;
@@ -1517,6 +1518,7 @@ static int i40iw_hw_alloc_stag(struct i4
info->stag_idx = iwmr->stag >> I40IW_CQPSQ_STAG_IDX_SHIFT;
info->pd_id = iwpd->sc_pd.pd_id;
info->total_len = iwmr->length;
+ info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
info->remote_access = true;
cqp_info->cqp_cmd = OP_ALLOC_STAG;
cqp_info->post_sq = 1;
@@ -1570,6 +1572,8 @@ static struct ib_mr *i40iw_alloc_mr(stru
iwmr->type = IW_MEMREG_TYPE_MEM;
palloc = &iwpbl->pble_alloc;
iwmr->page_cnt = max_num_sg;
+ /* Use system PAGE_SIZE as the sg page sizes are unknown at this point */
+ iwmr->length = max_num_sg * PAGE_SIZE;
mutex_lock(&iwdev->pbl_mutex);
status = i40iw_get_pble(&iwdev->sc_dev, iwdev->pble_rsrc, palloc, iwmr->page_cnt);
mutex_unlock(&iwdev->pbl_mutex);
@@ -1666,7 +1670,8 @@ static int i40iw_hwreg_mr(struct i40iw_d
{
struct i40iw_pbl *iwpbl = &iwmr->iwpbl;
struct i40iw_reg_ns_stag_info *stag_info;
- struct i40iw_pd *iwpd = to_iwpd(iwmr->ibmr.pd);
+ struct ib_pd *pd = iwmr->ibmr.pd;
+ struct i40iw_pd *iwpd = to_iwpd(pd);
struct i40iw_pble_alloc *palloc = &iwpbl->pble_alloc;
enum i40iw_status_code status;
int err = 0;
@@ -1686,6 +1691,7 @@ static int i40iw_hwreg_mr(struct i40iw_d
stag_info->total_len = iwmr->length;
stag_info->access_rights = access;
stag_info->pd_id = iwpd->sc_pd.pd_id;
+ stag_info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
stag_info->addr_type = I40IW_ADDR_TYPE_VA_BASED;
stag_info->page_size = iwmr->page_size;
next prev parent reply other threads:[~2023-12-05 3:43 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:16 [PATCH 5.4 00/94] 5.4.263-rc1 review Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 01/94] driver core: Release all resources during unbind before updating device links Greg Kroah-Hartman
2023-12-05 3:16 ` Greg Kroah-Hartman [this message]
2023-12-05 3:16 ` [PATCH 5.4 03/94] PCI: keystone: Drop __init from ks_pcie_add_pcie_{ep,port}() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 04/94] afs: Make error on cell lookup failure consistent with OpenAFS Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 05/94] drm/panel: simple: Fix Innolux G101ICE-L01 bus flags Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 06/94] drm/panel: simple: Fix Innolux G101ICE-L01 timings Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 07/94] ata: pata_isapnp: Add missing error check for devm_ioport_map() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 08/94] drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 09/94] HID: core: store the unique system identifier in hid_device Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 10/94] HID: fix HID device resource race between HID core and debugging support Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 11/94] ipv4: Correct/silence an endian warning in __ip_do_redirect Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 12/94] net: usb: ax88179_178a: fix failed operations during ax88179_reset Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 13/94] arm/xen: fix xen_vcpu_info allocation alignment Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 14/94] amd-xgbe: handle corner-case during sfp hotplug Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 15/94] amd-xgbe: handle the corner-case during tx completion Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 16/94] amd-xgbe: propagate the correct speed and duplex status Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 17/94] net: axienet: Fix check for partial TX checksum Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 18/94] afs: Return ENOENT if no cell DNS record can be found Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 19/94] afs: Fix file locking on R/O volumes to operate in local mode Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 20/94] nvmet: remove unnecessary ctrl parameter Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 21/94] nvmet: nul-terminate the NQNs passed in the connect command Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 22/94] MIPS: KVM: Fix a build warning about variable set but not used Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 23/94] ext4: add a new helper to check if es must be kept Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 24/94] ext4: factor out __es_alloc_extent() and __es_free_extent() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 25/94] ext4: use pre-allocated es in __es_insert_extent() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 26/94] ext4: use pre-allocated es in __es_remove_extent() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 27/94] ext4: using nofail preallocation in ext4_es_remove_extent() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 28/94] ext4: using nofail preallocation in ext4_es_insert_delayed_block() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 29/94] ext4: using nofail preallocation in ext4_es_insert_extent() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 30/94] ext4: fix slab-use-after-free " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.4 31/94] ext4: make sure allocate pending entry not fail Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 32/94] arm64: cpufeature: Extract capped perfmon fields Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 33/94] KVM: arm64: limit PMU version to PMUv3 for ARMv8.1 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 34/94] ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 35/94] bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 36/94] s390/dasd: protect device queue against concurrent access Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 37/94] USB: serial: option: add Luat Air72*U series products Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 38/94] hv_netvsc: Fix race of register_netdevice_notifier and VF register Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 39/94] hv_netvsc: Mark VF as slave before exposing it to user-mode Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 40/94] dm-delay: fix a race between delay_presuspend and delay_bio Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 41/94] bcache: check return value from btree_node_alloc_replacement() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 42/94] bcache: prevent potential division by zero error Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 43/94] USB: serial: option: add Fibocom L7xx modules Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 44/94] USB: serial: option: fix FM101R-GL defines Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 45/94] USB: serial: option: dont claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 46/94] USB: dwc2: write HCINT with INTMASK applied Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 47/94] usb: dwc3: set the dma max_seg_size Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 48/94] USB: dwc3: qcom: fix resource leaks on probe deferral Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 49/94] USB: dwc3: qcom: fix wakeup after " Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 50/94] io_uring: fix off-by one bvec index Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 51/94] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 52/94] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 53/94] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 54/94] mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 55/94] mmc: block: Do not lose cache flush during CQE error recovery Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 56/94] ALSA: hda: Disable power-save on KONTRON SinglePC Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 57/94] ALSA: hda/realtek: Headset Mic VREF to 100% Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 58/94] ALSA: hda/realtek: Add supported ALC257 for ChromeOS Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 59/94] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 60/94] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 61/94] bcache: revert replacing IS_ERR_OR_NULL with IS_ERR Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 62/94] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 63/94] btrfs: add dmesg output for first mount and last unmount of a filesystem Greg Kroah-Hartman
2023-12-09 17:28 ` Nathan Chancellor
2023-12-11 14:56 ` Greg Kroah-Hartman
2023-12-13 13:08 ` David Sterba
2023-12-05 3:17 ` [PATCH 5.4 64/94] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 65/94] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 66/94] btrfs: make error messages more clear when getting a chunk map Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 67/94] Input: xpad - add HyperX Clutch Gladiate Support Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 68/94] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 69/94] net: stmmac: xgmac: Disable FPE MMC interrupts Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 70/94] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 71/94] net: ravb: Use pm_runtime_resume_and_get() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 72/94] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 73/94] perf intel-pt: Adjust sample flags for VM-Exit Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 74/94] perf intel-pt: Fix async branch flags Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 75/94] smb3: fix touch -h of symlink Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 76/94] s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 77/94] s390/cmma: fix detection of DAT pages Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 78/94] mtd: cfi_cmdset_0001: Support the absence of protection registers Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 79/94] mtd: cfi_cmdset_0001: Byte swap OTP info Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 80/94] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 81/94] ima: annotate iint mutex to avoid lockdep false positive warnings Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 82/94] ovl: skip overlayfs superblocks at global sync Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 83/94] ima: detect changes to the backing overlay file Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 84/94] scsi: qla2xxx: Simplify the code for aborting SCSI commands Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 85/94] scsi: core: Introduce the scsi_cmd_to_rq() function Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 86/94] scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 87/94] scsi: qla2xxx: Fix system crash due to bad pointer access Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 88/94] cpufreq: imx6q: dont warn for disabling a non-existing frequency Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 89/94] cpufreq: imx6q: Dont disable 792 Mhz OPP unnecessarily Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 90/94] mmc: cqhci: Increase recovery halt timeout Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.4 91/94] mmc: cqhci: Warn of halt or task clear failure Greg Kroah-Hartman
2023-12-05 3:18 ` [PATCH 5.4 92/94] mmc: cqhci: Fix task clearing in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:18 ` [PATCH 5.4 93/94] mmc: core: convert comma to semicolon Greg Kroah-Hartman
2023-12-05 3:18 ` [PATCH 5.4 94/94] mmc: block: Retry commands in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:53 ` [PATCH 5.4 00/94] 5.4.263-rc1 review Guenter Roeck
2023-12-05 4:33 ` Greg Kroah-Hartman
2023-12-05 11:09 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031522.983727103@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=christopher.n.bednarz@intel.com \
--cc=leon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=shiraz.saleem@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox