1. 25 7月, 2020 3 次提交
  2. 07 7月, 2020 2 次提交
  3. 03 6月, 2020 2 次提交
  4. 28 5月, 2020 1 次提交
  5. 22 5月, 2020 2 次提交
  6. 18 5月, 2020 3 次提交
  7. 05 3月, 2020 1 次提交
    • M
      RDMA/core: Fix protection fault in ib_mr_pool_destroy · e38b55ea
      Maor Gottlieb 提交于
      Fix NULL pointer dereference in the error flow of ib_create_qp_user
      when accessing to uninitialized list pointers - rdma_mrs and sig_mrs.
      The following crash from syzkaller revealed it.
      
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 23167 Comm: syz-executor.1 Not tainted 5.5.0-rc5 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        RIP: 0010:ib_mr_pool_destroy+0x81/0x1f0
        Code: 00 00 fc ff df 49 c1 ec 03 4d 01 fc e8 a8 ea 72 fe 41 80 3c 24 00
        0f 85 62 01 00 00 48 8b 13 48 89 d6 4c 8d 6a c8 48 c1 ee 03 <42> 80 3c
        3e 00 0f 85 34 01 00 00 48 8d 7a 08 4c 8b 02 48 89 fe 48
        RSP: 0018:ffffc9000951f8b0 EFLAGS: 00010046
        RAX: 0000000000040000 RBX: ffff88810f268038 RCX: ffffffff82c41628
        RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000951f850
        RBP: ffff88810f268020 R08: 0000000000000004 R09: fffff520012a3f0a
        R10: 0000000000000001 R11: fffff520012a3f0a R12: ffffed1021e4d007
        R13: ffffffffffffffc8 R14: 0000000000000246 R15: dffffc0000000000
        FS:  00007f54bc788700(0000) GS:ffff88811b100000(0000)
        knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 0000000116920002 CR4: 0000000000360ee0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         rdma_rw_cleanup_mrs+0x15/0x30
         ib_destroy_qp_user+0x674/0x7d0
         ib_create_qp_user+0xb01/0x11c0
         create_qp+0x1517/0x2130
         ib_uverbs_create_qp+0x13e/0x190
         ib_uverbs_write+0xaa5/0xdf0
         __vfs_write+0x7c/0x100
         vfs_write+0x168/0x4a0
         ksys_write+0xc8/0x200
         do_syscall_64+0x9c/0x390
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x465b49
        Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
        f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
        f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007f54bc787c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
        RDX: 0000000000000040 RSI: 0000000020000540 RDI: 0000000000000003
        RBP: 00007f54bc787c70 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54bc7886bc
        R13: 00000000004ca2ec R14: 000000000070ded0 R15: 0000000000000005
      
      Fixes: a060b562 ("IB/core: generic RDMA READ/WRITE API")
      Link: https://lore.kernel.org/r/20200227112708.93023-1-leon@kernel.orgSigned-off-by: NMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      e38b55ea
  8. 12 2月, 2020 1 次提交
    • A
      RDMA/core: Fix invalid memory access in spec_filter_size · a72f4ac1
      Avihai Horon 提交于
      Add a check that the size specified in the flow spec header doesn't cause
      an overflow when calculating the filter size, and thus prevent access to
      invalid memory.  The following crash from syzkaller revealed it.
      
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 17834 Comm: syz-executor.3 Not tainted 5.5.0-rc5 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        RIP: 0010:memchr_inv+0xd3/0x330
        Code: 89 f9 89 f5 83 e1 07 0f 85 f9 00 00 00 49 89 d5 49 c1 ed 03 45 85
        ed 74 6f 48 89 d9 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 01
        00 0f 85 0d 02 00 00 44 0f b6 e5 48 b8 01 01 01 01 01 01
        RSP: 0018:ffffc9000a13fa50 EFLAGS: 00010202
        RAX: dffffc0000000000 RBX: 7fff88810de9d820 RCX: 0ffff11021bd3b04
        RDX: 000000000000fff8 RSI: 0000000000000000 RDI: 7fff88810de9d820
        RBP: 0000000000000000 R08: ffff888110d69018 R09: 0000000000000009
        R10: 0000000000000001 R11: ffffed10236267cc R12: 0000000000000004
        R13: 0000000000001fff R14: ffff88810de9d820 R15: 0000000000000040
        FS:  00007f9ee0e51700(0000) GS:ffff88811b100000(0000)
        knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 0000000115ea0006 CR4: 0000000000360ee0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         spec_filter_size.part.16+0x34/0x50
         ib_uverbs_kern_spec_to_ib_spec_filter+0x691/0x770
         ib_uverbs_ex_create_flow+0x9ea/0x1b40
         ib_uverbs_write+0xaa5/0xdf0
         __vfs_write+0x7c/0x100
         vfs_write+0x168/0x4a0
         ksys_write+0xc8/0x200
         do_syscall_64+0x9c/0x390
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x465b49
        Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
        f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
        f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007f9ee0e50c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
        RDX: 00000000000003a0 RSI: 00000000200007c0 RDI: 0000000000000004
        RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ee0e516bc
        R13: 00000000004ca2da R14: 000000000070deb8 R15: 00000000ffffffff
        Modules linked in:
        Dumping ftrace buffer:
           (ftrace buffer empty)
      
      Fixes: 94e03f11 ("IB/uverbs: Add support for flow tag")
      Link: https://lore.kernel.org/r/20200126171500.4623-1-leon@kernel.orgSigned-off-by: NAvihai Horon <avihaih@mellanox.com>
      Reviewed-by: NMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      a72f4ac1
  9. 17 1月, 2020 2 次提交
  10. 14 1月, 2020 9 次提交
  11. 07 11月, 2019 1 次提交
  12. 17 9月, 2019 1 次提交
  13. 22 8月, 2019 2 次提交
  14. 05 7月, 2019 1 次提交
  15. 24 6月, 2019 2 次提交
  16. 21 6月, 2019 1 次提交
  17. 12 6月, 2019 1 次提交
  18. 28 5月, 2019 2 次提交
  19. 03 5月, 2019 2 次提交
  20. 09 4月, 2019 1 次提交