| Message ID | 20180403223301.1835-1-roland@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Tue, Apr 03, 2018 at 03:33:01PM -0700, Roland Dreier wrote: > From: Roland Dreier <roland@purestorage.com> > > Check to make sure that ctx->cm_id->device is set before we use it. Otherwise > userspace can trigger a NULL dereference by doing RDMA_USER_CM_CMD_SET_OPTION > on an ID that is not bound to a device. > > Reported-by: syzbot+a67bc93e14682d92fc2f@syzkaller.appspotmail.com > Signed-off-by: Roland Dreier <roland@purestorage.com> > --- > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v4.16 > > drivers/infiniband/core/ucma.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c > index d933336d7e01..5c21ae237f82 100644 > +++ b/drivers/infiniband/core/ucma.c > @@ -1241,6 +1241,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, > if (!optlen) > return -EINVAL; > > + if (!ctx->cm_id->device) > + return -EINVAL; > + > memset(&sa_path, 0, sizeof(sa_path)); > > sa_path.rec_type = SA_PATH_REC_TYPE_IB; Applied to for-next with a CC stable. I also audited the rest of this file for cm_id->device NULL and will send a little patch with those results too.. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index d933336d7e01..5c21ae237f82 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1241,6 +1241,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, if (!optlen) return -EINVAL; + if (!ctx->cm_id->device) + return -EINVAL; + memset(&sa_path, 0, sizeof(sa_path)); sa_path.rec_type = SA_PATH_REC_TYPE_IB;