From patchwork Tue Apr 3 22:33:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Dreier X-Patchwork-Id: 10321835 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 42C9E60532 for ; Tue, 3 Apr 2018 22:33:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2960028BF3 for ; Tue, 3 Apr 2018 22:33:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1C15A28D0F; Tue, 3 Apr 2018 22:33:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8C0FA28BF3 for ; Tue, 3 Apr 2018 22:33:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754286AbeDCWdI (ORCPT ); Tue, 3 Apr 2018 18:33:08 -0400 Received: from mail-pl0-f65.google.com ([209.85.160.65]:38912 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754421AbeDCWdH (ORCPT ); Tue, 3 Apr 2018 18:33:07 -0400 Received: by mail-pl0-f65.google.com with SMTP id s24-v6so11096762plq.6 for ; Tue, 03 Apr 2018 15:33:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purestorage.com; s=google; h=sender:from:to:cc:subject:date:message-id; bh=SLAdHPK6PjyWqsExMRhvcNBf8LcAFl+zHOM4JSA+3EQ=; b=KvauS/0JR6hrICwIo/shcxXNcnG+5Oc7x3aDK7LrlZPheLTUylkCxRSkXMnHNEzH4f cPiKFFRsuRKLR6j8inMa+y7kXs1YvBX9477OaMFA7YmxeoWKoJeU1DoQ9qfrTloXTRUm VHG9kchj7zH/JXSQkvKnQtAnw+GjYIlsFl9VA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=SLAdHPK6PjyWqsExMRhvcNBf8LcAFl+zHOM4JSA+3EQ=; b=gAFjcFJm8suQXpbjWa+ueFdx48vNnH0PFUnLlGGFvyIOX2trFPWlgEU60sbMF/Dw3+ mgtSXVW6mrgeufu5dOJvLpYMBug+4jO/EbIC6PHTjCYJoIxOYtHzmcvP3dFfcfnHANgx JAYi/16yE2MvkEYc4tOn7CqHPnriXEZta7lwuFkvWy4ORUHDKWT/TOesrTS2N/fa6EDK iQuZrFwFJWcTUl0PGMhAgdyLGPm3tiO7m1vtktu4zn1WLPd9BNUep2FsIXO5GG3Z1FR4 kVspS3PiANMIByKUsNs7XcKIuD8MtaGSTNoXXUYZwqd1oaIqKeQ0U2dE+Vrpp8kkGPQX sn4A== X-Gm-Message-State: AElRT7FB/qpwsteYxpj5Chn0STD5R7GZeSamK2VOPbYYKBjQ7WSHTkBX bhL3DseVXM636kGRQXGKFcfCTw== X-Google-Smtp-Source: AIpwx4+6qtm1gBADgAiKTo6C9lUFCZy7Fx2vmYMO362dFiYaffKU6FzWw1twOf8rI1Ujzz0utayP0Q== X-Received: by 2002:a17:902:6b8b:: with SMTP id p11-v6mr16064890plk.213.1522794786962; Tue, 03 Apr 2018 15:33:06 -0700 (PDT) Received: from roland-x1-yoga.purestorage.com ([64.84.68.252]) by smtp.gmail.com with ESMTPSA id j10sm7045710pfj.1.2018.04.03.15.33.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Apr 2018 15:33:04 -0700 (PDT) From: Roland Dreier To: Doug Ledford , Jason Gunthorpe , Leon Romanovsky Cc: linux-rdma@vger.kernel.org Subject: [PATCH] RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device Date: Tue, 3 Apr 2018 15:33:01 -0700 Message-Id: <20180403223301.1835-1-roland@kernel.org> X-Mailer: git-send-email 2.15.1 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Roland Dreier Check to make sure that ctx->cm_id->device is set before we use it. Otherwise userspace can trigger a NULL dereference by doing RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device. Reported-by: syzbot+a67bc93e14682d92fc2f@syzkaller.appspotmail.com Signed-off-by: Roland Dreier --- #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v4.16 drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index d933336d7e01..5c21ae237f82 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1241,6 +1241,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, if (!optlen) return -EINVAL; + if (!ctx->cm_id->device) + return -EINVAL; + memset(&sa_path, 0, sizeof(sa_path)); sa_path.rec_type = SA_PATH_REC_TYPE_IB;