Revision 4b658d1bbc16605330694bb3ef2570c465ef383d authored by Leon Romanovsky on 25 March 2018, 08:23:55 UTC, committed by Jason Gunthorpe on 27 March 2018, 20:10:45 UTC
Add missing check that device is connected prior to access it.
[ 55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[ 55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[ 55.360255]
[ 55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 #91
[ 55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 55.363264] Call Trace:
[ 55.363833] dump_stack+0x5c/0x77
[ 55.364215] kasan_report+0x163/0x380
[ 55.364610] ? rdma_init_qp_attr+0x4a/0x2c0
[ 55.365238] rdma_init_qp_attr+0x4a/0x2c0
[ 55.366410] ucma_init_qp_attr+0x111/0x200
[ 55.366846] ? ucma_notify+0xf0/0xf0
[ 55.367405] ? _get_random_bytes+0xea/0x1b0
[ 55.367846] ? urandom_read+0x2f0/0x2f0
[ 55.368436] ? kmem_cache_alloc_trace+0xd2/0x1e0
[ 55.369104] ? refcount_inc_not_zero+0x9/0x60
[ 55.369583] ? refcount_inc+0x5/0x30
[ 55.370155] ? rdma_create_id+0x215/0x240
[ 55.370937] ? _copy_to_user+0x4f/0x60
[ 55.371620] ? mem_cgroup_commit_charge+0x1f5/0x290
[ 55.372127] ? _copy_from_user+0x5e/0x90
[ 55.372720] ucma_write+0x174/0x1f0
[ 55.373090] ? ucma_close_id+0x40/0x40
[ 55.373805] ? __lru_cache_add+0xa8/0xd0
[ 55.374403] __vfs_write+0xc4/0x350
[ 55.374774] ? kernel_read+0xa0/0xa0
[ 55.375173] ? fsnotify+0x899/0x8f0
[ 55.375544] ? fsnotify_unmount_inodes+0x170/0x170
[ 55.376689] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 55.377522] ? handle_mm_fault+0x174/0x320
[ 55.378169] vfs_write+0xf7/0x280
[ 55.378864] SyS_write+0xa1/0x120
[ 55.379270] ? SyS_read+0x120/0x120
[ 55.379643] ? mm_fault_error+0x180/0x180
[ 55.380071] ? task_work_run+0x7d/0xd0
[ 55.380910] ? __task_pid_nr_ns+0x120/0x140
[ 55.381366] ? SyS_read+0x120/0x120
[ 55.381739] do_syscall_64+0xeb/0x250
[ 55.382143] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 55.382841] RIP: 0033:0x7fc2ef803e99
[ 55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[ 55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[ 55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[ 55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[ 55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[ 55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[ 55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[ 55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[ 55.532648] CR2: 00000000000000b0
[ 55.534396] ---[ end trace 70cee64090251c0b ]---
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45500bd ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
1 parent 9137108
| File | Mode | Size |
|---|---|---|
| basic | ||
| coccinelle | ||
| dtc | ||
| gcc-plugins | ||
| gdb | ||
| genksyms | ||
| kconfig | ||
| ksymoops | ||
| mod | ||
| package | ||
| selinux | ||
| tracing | ||
| .gitignore | -rw-r--r-- | 162 bytes |
| Kbuild.include | -rw-r--r-- | 18.3 KB |
| Lindent | -rwxr-xr-x | 502 bytes |
| Makefile | -rw-r--r-- | 1.6 KB |
| Makefile.asm-generic | -rw-r--r-- | 1.2 KB |
| Makefile.build | -rw-r--r-- | 19.7 KB |
| Makefile.clean | -rw-r--r-- | 3.0 KB |
| Makefile.dtbinst | -rw-r--r-- | 1.1 KB |
| Makefile.extrawarn | -rw-r--r-- | 2.7 KB |
| Makefile.gcc-plugins | -rw-r--r-- | 3.6 KB |
| Makefile.headersinst | -rw-r--r-- | 4.0 KB |
| Makefile.host | -rw-r--r-- | 6.2 KB |
| Makefile.kasan | -rw-r--r-- | 1.4 KB |
| Makefile.kcov | -rw-r--r-- | 201 bytes |
| Makefile.lib | -rw-r--r-- | 15.4 KB |
| Makefile.modbuiltin | -rw-r--r-- | 1.8 KB |
| Makefile.modinst | -rw-r--r-- | 1.3 KB |
| Makefile.modpost | -rw-r--r-- | 5.5 KB |
| Makefile.modsign | -rw-r--r-- | 1.0 KB |
| Makefile.ubsan | -rw-r--r-- | 1014 bytes |
| adjust_autoksyms.sh | -rwxr-xr-x | 2.8 KB |
| asn1_compiler.c | -rw-r--r-- | 35.5 KB |
| bloat-o-meter | -rwxr-xr-x | 3.2 KB |
| bootgraph.pl | -rwxr-xr-x | 6.3 KB |
| check_00index.sh | -rwxr-xr-x | 1.3 KB |
| check_extable.sh | -rwxr-xr-x | 4.9 KB |
| checkincludes.pl | -rwxr-xr-x | 1.9 KB |
| checkkconfigsymbols.py | -rwxr-xr-x | 15.5 KB |
| checkpatch.pl | -rwxr-xr-x | 190.4 KB |
| checkstack.pl | -rwxr-xr-x | 5.5 KB |
| checksyscalls.sh | -rwxr-xr-x | 5.7 KB |
| checkversion.pl | -rwxr-xr-x | 1.9 KB |
| cleanfile | -rwxr-xr-x | 3.5 KB |
| cleanpatch | -rwxr-xr-x | 5.1 KB |
| coccicheck | -rwxr-xr-x | 7.2 KB |
| config | -rwxr-xr-x | 4.5 KB |
| conmakehash.c | -rw-r--r-- | 6.0 KB |
| const_structs.checkpatch | -rw-r--r-- | 964 bytes |
| decode_stacktrace.sh | -rwxr-xr-x | 3.7 KB |
| decodecode | -rwxr-xr-x | 2.5 KB |
| depmod.sh | -rwxr-xr-x | 1.7 KB |
| diffconfig | -rwxr-xr-x | 3.7 KB |
| documentation-file-ref-check | -rwxr-xr-x | 395 bytes |
| export_report.pl | -rwxr-xr-x | 4.5 KB |
| extract-cert.c | -rw-r--r-- | 3.5 KB |
| extract-ikconfig | -rwxr-xr-x | 1.7 KB |
| extract-module-sig.pl | -rwxr-xr-x | 3.7 KB |
| extract-sys-certs.pl | -rwxr-xr-x | 3.7 KB |
| extract-vmlinux | -rwxr-xr-x | 1.6 KB |
| extract_xc3028.pl | -rwxr-xr-x | 44.6 KB |
| faddr2line | -rwxr-xr-x | 5.5 KB |
| find-unused-docs.sh | -rwxr-xr-x | 1.3 KB |
| gcc-goto.sh | -rwxr-xr-x | 530 bytes |
| gcc-ld | -rwxr-xr-x | 711 bytes |
| gcc-plugin.sh | -rwxr-xr-x | 1.1 KB |
| gcc-version.sh | -rwxr-xr-x | 857 bytes |
| gcc-x86_32-has-stack-protector.sh | -rwxr-xr-x | 219 bytes |
| gcc-x86_64-has-stack-protector.sh | -rwxr-xr-x | 244 bytes |
| gen_initramfs_list.sh | -rwxr-xr-x | 8.0 KB |
| get_dvb_firmware | -rwxr-xr-x | 25.2 KB |
| get_maintainer.pl | -rwxr-xr-x | 65.0 KB |
| gfp-translate | -rwxr-xr-x | 1.7 KB |
| headerdep.pl | -rwxr-xr-x | 3.5 KB |
| headers.sh | -rwxr-xr-x | 512 bytes |
| headers_check.pl | -rwxr-xr-x | 3.7 KB |
| headers_install.sh | -rwxr-xr-x | 1.3 KB |
| insert-sys-cert.c | -rw-r--r-- | 8.9 KB |
| kallsyms.c | -rw-r--r-- | 18.7 KB |
| kernel-doc | -rwxr-xr-x | 60.0 KB |
| ld-version.sh | -rwxr-xr-x | 269 bytes |
| leaking_addresses.pl | -rwxr-xr-x | 9.6 KB |
| link-vmlinux.sh | -rwxr-xr-x | 7.6 KB |
| makelst | -rwxr-xr-x | 808 bytes |
| markup_oops.pl | -rwxr-xr-x | 8.1 KB |
| mkcompile_h | -rwxr-xr-x | 2.5 KB |
| mkmakefile | -rwxr-xr-x | 1.2 KB |
| mksysmap | -rwxr-xr-x | 1.3 KB |
| mkuboot.sh | -rwxr-xr-x | 414 bytes |
| module-common.lds | -rw-r--r-- | 901 bytes |
| namespace.pl | -rwxr-xr-x | 13.0 KB |
| objdiff | -rwxr-xr-x | 2.8 KB |
| parse-maintainers.pl | -rw-r--r-- | 3.7 KB |
| patch-kernel | -rwxr-xr-x | 9.9 KB |
| pnmtologo.c | -rw-r--r-- | 11.9 KB |
| profile2linkerlist.pl | -rwxr-xr-x | 414 bytes |
| prune-kernel | -rwxr-xr-x | 708 bytes |
| recordmcount.c | -rw-r--r-- | 17.2 KB |
| recordmcount.h | -rw-r--r-- | 16.4 KB |
| recordmcount.pl | -rwxr-xr-x | 18.0 KB |
| setlocalversion | -rwxr-xr-x | 3.9 KB |
| show_delta | -rwxr-xr-x | 3.0 KB |
| sign-file.c | -rw-r--r-- | 9.8 KB |
| sortextable.c | -rw-r--r-- | 8.4 KB |
| sortextable.h | -rw-r--r-- | 5.5 KB |
| spelling.txt | -rw-r--r-- | 25.0 KB |
| sphinx-pre-install | -rwxr-xr-x | 14.0 KB |
| stackdelta | -rwxr-xr-x | 1.8 KB |
| stackusage | -rwxr-xr-x | 794 bytes |
| tags.sh | -rwxr-xr-x | 9.5 KB |
| unifdef.c | -rw-r--r-- | 34.8 KB |
| ver_linux | -rwxr-xr-x | 2.9 KB |
| xen-hypercalls.sh | -rw-r--r-- | 386 bytes |
| xz_wrap.sh | -rwxr-xr-x | 562 bytes |
Computing file changes ...
