[PATCH 5.4/5.10 0/1] RDMA/i40iw: Fix potential NULL-ptr-dereference

[PATCH 5.4/5.10 0/1] RDMA/i40iw: Fix potential NULL-ptr-dereference

[Nikita Zhandarovich]

This is a modified backport of upstream commit 5d9745cead1f. It corrects
NULL pointer dereference in in_dev_for_each_ifa_rtnl() caused by
potential device unavailability. This issue can be triggered on
5.4/5.10 stable branches.

Changes had to be made to the modified source file in question. Patch
 drivers/infiniband/hw/i40iw/i40iw_cm.c
instead of:
 drivers/infiniband/hw/irdma/cm.c
due to switch from i40iw to irdma driver in commit fa0cf568fd76.
i40iw driver was removed and irdma was introduced as an alias to i40iw.

Other than the filename change, the patch remains the same and can be
cleanly applied to stable branches listed above.

[PATCH 5.4/5.10 1/1] RDMA/i40iw: Fix potential NULL-ptr-dereference

[Nikita Zhandarovich]

From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>

commit 5d9745cead1f121974322b94ceadfb4d1e67960e upstream.

in_dev_get() can return NULL which will cause a failure once idev is
dereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a
check for NULL value in idev beforehand.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Changes made to the original patch during backporting:
Apply patch to drivers/infiniband/hw/i40iw/i40iw_cm.c instead of
drivers/infiniband/hw/irdma/cm.c due to the fact that kernel versions
5.10 and below use i40iw driver, not irdma.

Fixes: f27b4746f378 ("i40iw: add connection management code")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://lore.kernel.org/r/20230126185230.62464-1-n.zhandarovich@fintech.ru
---
 drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 3053c345a5a3..e1236ac502f2 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -1776,6 +1776,8 @@ static enum i40iw_status_code i40iw_add_mqh_4(
 			const struct in_ifaddr *ifa;
 
 			idev = in_dev_get(dev);
+			if (!idev)
+				continue;
 
 			in_dev_for_each_ifa_rtnl(ifa, idev) {
 				i40iw_debug(&iwdev->sc_dev,
-- 
2.25.1

Re: [PATCH 5.4/5.10 1/1] RDMA/i40iw: Fix potential NULL-ptr-dereference

[Greg Kroah-Hartman]

On Tue, Mar 14, 2023 at 06:44:56AM -0700, Nikita Zhandarovich wrote:
> From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
> 
> commit 5d9745cead1f121974322b94ceadfb4d1e67960e upstream.
> 
> in_dev_get() can return NULL which will cause a failure once idev is
> dereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a
> check for NULL value in idev beforehand.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Changes made to the original patch during backporting:
> Apply patch to drivers/infiniband/hw/i40iw/i40iw_cm.c instead of
> drivers/infiniband/hw/irdma/cm.c due to the fact that kernel versions
> 5.10 and below use i40iw driver, not irdma.
> 
> Fixes: f27b4746f378 ("i40iw: add connection management code")
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
> Link: https://lore.kernel.org/r/20230126185230.62464-1-n.zhandarovich@fintech.ru
> ---
>  drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
> index 3053c345a5a3..e1236ac502f2 100644
> --- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
> +++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
> @@ -1776,6 +1776,8 @@ static enum i40iw_status_code i40iw_add_mqh_4(
>  			const struct in_ifaddr *ifa;
>  
>  			idev = in_dev_get(dev);
> +			if (!idev)
> +				continue;
>  
>  			in_dev_for_each_ifa_rtnl(ifa, idev) {
>  				i40iw_debug(&iwdev->sc_dev,

As this isn't anything that can be triggered by a normal system
operation, I'm going to drop it from the review queue.  Unless you have
a reproducer that can cause this to happen from userspace?

thanks,

greg k-h

Re: [PATCH 5.4/5.10 1/1] RDMA/i40iw: Fix potential NULL-ptr-dereference

[Nikita Zhandarovich]

On 3/15/23 01:00, Greg Kroah-Hartman wrote:
> On Tue, Mar 14, 2023 at 06:44:56AM -0700, Nikita Zhandarovich wrote:
>> From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
>>
>> commit 5d9745cead1f121974322b94ceadfb4d1e67960e upstream.
>>
>> in_dev_get() can return NULL which will cause a failure once idev is
>> dereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a
>> check for NULL value in idev beforehand.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Changes made to the original patch during backporting:
>> Apply patch to drivers/infiniband/hw/i40iw/i40iw_cm.c instead of
>> drivers/infiniband/hw/irdma/cm.c due to the fact that kernel versions
>> 5.10 and below use i40iw driver, not irdma.
>>
>> Fixes: f27b4746f378 ("i40iw: add connection management code")
>> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
>> Link: https://lore.kernel.org/r/20230126185230.62464-1-n.zhandarovich@fintech.ru
>> ---
>>  drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
>> index 3053c345a5a3..e1236ac502f2 100644
>> --- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
>> +++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
>> @@ -1776,6 +1776,8 @@ static enum i40iw_status_code i40iw_add_mqh_4(
>>  			const struct in_ifaddr *ifa;
>>  
>>  			idev = in_dev_get(dev);
>> +			if (!idev)
>> +				continue;
>>  
>>  			in_dev_for_each_ifa_rtnl(ifa, idev) {
>>  				i40iw_debug(&iwdev->sc_dev,
> 
> As this isn't anything that can be triggered by a normal system
> operation, I'm going to drop it from the review queue.  Unless you have
> a reproducer that can cause this to happen from userspace?
> 
> thanks,
> 
> greg k-h

Currently working on seeing whether a reproducer is feasible. It makes
sense to not include the patch until then.

thanks for your time,

Nikita