An error occurred fetching the project authors.
  1. 17 May, 2020 2 commits
  2. 04 Mar, 2020 1 commit
    • Maor Gottlieb's avatar
      RDMA/core: Fix protection fault in ib_mr_pool_destroy · e38b55ea
      Maor Gottlieb authored
      Fix NULL pointer dereference in the error flow of ib_create_qp_user
      when accessing to uninitialized list pointers - rdma_mrs and sig_mrs.
      The following crash from syzkaller revealed it.
      
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 23167 Comm: syz-executor.1 Not tainted 5.5.0-rc5 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        RIP: 0010:ib_mr_pool_destroy+0x81/0x1f0
        Code: 00 00 fc ff df 49 c1 ec 03 4d 01 fc e8 a8 ea 72 fe 41 80 3c 24 00
        0f 85 62 01 00 00 48 8b 13 48 89 d6 4c 8d 6a c8 48 c1 ee 03 <42> 80 3c
        3e 00 0f 85 34 01 00 00 48 8d 7a 08 4c 8b 02 48 89 fe 48
        RSP: 0018:ffffc9000951f8b0 EFLAGS: 00010046
        RAX: 0000000000040000 RBX: ffff88810f268038 RCX: ffffffff82c41628
        RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000951f850
        RBP: ffff88810f268020 R08: 0000000000000004 R09: fffff520012a3f0a
        R10: 0000000000000001 R11: fffff520012a3f0a R12: ffffed1021e4d007
        R13: ffffffffffffffc8 R14: 0000000000000246 R15: dffffc0000000000
        FS:  00007f54bc788700(0000) GS:ffff88811b100000(0000)
        knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 0000000116920002 CR4: 0000000000360ee0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         rdma_rw_cleanup_mrs+0x15/0x30
         ib_destroy_qp_user+0x674/0x7d0
         ib_create_qp_user+0xb01/0x11c0
         create_qp+0x1517/0x2130
         ib_uverbs_create_qp+0x13e/0x190
         ib_uverbs_write+0xaa5/0xdf0
         __vfs_write+0x7c/0x100
         vfs_write+0x168/0x4a0
         ksys_write+0xc8/0x200
         do_syscall_64+0x9c/0x390
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x465b49
        Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
        f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
        f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007f54bc787c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
        RDX: 0000000000000040 RSI: 0000000020000540 RDI: 0000000000000003
        RBP: 00007f54bc787c70 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54bc7886bc
        R13: 00000000004ca2ec R14: 000000000070ded0 R15: 0000000000000005
      
      Fixes: a060b562 ("IB/core: generic RDMA READ/WRITE API")
      Link: https://lore.kernel.org/r/20200227112708.93023-1-leon@kernel.orgSigned-off-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e38b55ea
  3. 11 Feb, 2020 1 commit
    • Avihai Horon's avatar
      RDMA/core: Fix invalid memory access in spec_filter_size · a72f4ac1
      Avihai Horon authored
      Add a check that the size specified in the flow spec header doesn't cause
      an overflow when calculating the filter size, and thus prevent access to
      invalid memory.  The following crash from syzkaller revealed it.
      
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 17834 Comm: syz-executor.3 Not tainted 5.5.0-rc5 #2
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
        RIP: 0010:memchr_inv+0xd3/0x330
        Code: 89 f9 89 f5 83 e1 07 0f 85 f9 00 00 00 49 89 d5 49 c1 ed 03 45 85
        ed 74 6f 48 89 d9 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 01
        00 0f 85 0d 02 00 00 44 0f b6 e5 48 b8 01 01 01 01 01 01
        RSP: 0018:ffffc9000a13fa50 EFLAGS: 00010202
        RAX: dffffc0000000000 RBX: 7fff88810de9d820 RCX: 0ffff11021bd3b04
        RDX: 000000000000fff8 RSI: 0000000000000000 RDI: 7fff88810de9d820
        RBP: 0000000000000000 R08: ffff888110d69018 R09: 0000000000000009
        R10: 0000000000000001 R11: ffffed10236267cc R12: 0000000000000004
        R13: 0000000000001fff R14: ffff88810de9d820 R15: 0000000000000040
        FS:  00007f9ee0e51700(0000) GS:ffff88811b100000(0000)
        knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 0000000115ea0006 CR4: 0000000000360ee0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         spec_filter_size.part.16+0x34/0x50
         ib_uverbs_kern_spec_to_ib_spec_filter+0x691/0x770
         ib_uverbs_ex_create_flow+0x9ea/0x1b40
         ib_uverbs_write+0xaa5/0xdf0
         __vfs_write+0x7c/0x100
         vfs_write+0x168/0x4a0
         ksys_write+0xc8/0x200
         do_syscall_64+0x9c/0x390
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x465b49
        Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
        f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
        f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
        RSP: 002b:00007f9ee0e50c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
        RDX: 00000000000003a0 RSI: 00000000200007c0 RDI: 0000000000000004
        RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ee0e516bc
        R13: 00000000004ca2da R14: 000000000070deb8 R15: 00000000ffffffff
        Modules linked in:
        Dumping ftrace buffer:
           (ftrace buffer empty)
      
      Fixes: 94e03f11 ("IB/uverbs: Add support for flow tag")
      Link: https://lore.kernel.org/r/20200126171500.4623-1-leon@kernel.orgSigned-off-by: default avatarAvihai Horon <avihaih@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a72f4ac1
  4. 16 Jan, 2020 2 commits
  5. 13 Jan, 2020 9 commits
  6. 06 Nov, 2019 1 commit
  7. 16 Sep, 2019 1 commit
  8. 21 Aug, 2019 2 commits
  9. 04 Jul, 2019 1 commit
  10. 24 Jun, 2019 2 commits
  11. 21 Jun, 2019 1 commit
  12. 11 Jun, 2019 1 commit
  13. 27 May, 2019 2 commits
  14. 03 May, 2019 2 commits
  15. 08 Apr, 2019 1 commit
  16. 01 Apr, 2019 5 commits
  17. 28 Mar, 2019 1 commit
  18. 25 Feb, 2019 1 commit
  19. 22 Feb, 2019 1 commit
  20. 21 Feb, 2019 1 commit
    • Leon Romanovsky's avatar
      RDMA/uverbs: Store PR pointer before it is overwritten · 25fd08eb
      Leon Romanovsky authored
      The IB_MR_REREG_PD command rewrites mr->pd after successful
      rereg_user_mr(), such change causes to lost usecnt information and
      produces the following warning:
      
       WARNING: CPU: 1 PID: 1771 at drivers/infiniband/core/verbs.c:336 ib_dealloc_pd+0x4e/0x60 [ib_core]
       CPU: 1 PID: 1771 Comm: rereg_mr Tainted: G        W  OE 5.0.0-rc7-for-upstream-perf-2019-02-20_14-03-40-34 #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
       RIP: 0010:ib_dealloc_pd+0x4e/0x60 [ib_core]
       RSP: 0018:ffffc90003923dc0 EFLAGS: 00010286
       RAX: 00000000ffffffff RBX: ffff88821f7f0400 RCX: ffff888236a40c00
       RDX: ffff88821f7f0400 RSI: 0000000000000001 RDI: 0000000000000000
       RBP: 0000000000000001 R08: ffff88835f665d80 R09: ffff8882209c90d8
       R10: ffff88835ec003e0 R11: 0000000000000000 R12: ffff888221680ba0
       R13: ffff888221680b00 R14: 00000000ffffffea R15: ffff88821f53c318
       FS:  00007f70db11e740(0000) GS:ffff88835f640000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000001dfd030 CR3: 000000029d9d8000 CR4: 00000000000006e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        uverbs_free_pd+0x2d/0x30 [ib_uverbs]
        destroy_hw_idr_uobject+0x16/0x40 [ib_uverbs]
        uverbs_destroy_uobject+0x28/0x170 [ib_uverbs]
        __uverbs_cleanup_ufile+0x6b/0x90 [ib_uverbs]
        uverbs_destroy_ufile_hw+0x8b/0x110 [ib_uverbs]
        ib_uverbs_close+0x1f/0x80 [ib_uverbs]
        __fput+0xb1/0x220
        task_work_run+0x7f/0xa0
        exit_to_usermode_loop+0x6b/0xb2
        do_syscall_64+0xc5/0x100
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7f70dad00664
      
      Fixes: e278173f ("RDMA/core: Cosmetic change - move member initialization to correct block")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      25fd08eb
  21. 20 Feb, 2019 2 commits