Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1114275imm; Wed, 1 Aug 2018 10:24:49 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfChzbBwpLsDyCZNtWwmlvWGvBZ343FXEPB6hxZ4tCQ0BohiTu3KPHsAqtYF4Pli40ldcwS X-Received: by 2002:a62:c0c4:: with SMTP id g65-v6mr27641945pfk.72.1533144289717; Wed, 01 Aug 2018 10:24:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533144289; cv=none; d=google.com; s=arc-20160816; b=HMT5TljNkzwh/EzoSp9GCzby+eyV7n7P4hwZlai6g2sPLmnrLaEasMyU47TcXia+Rv iAhdqdB2gK7LvyV3/OEjdhfuMQAc0xpzIdv/HBKPQeJWmomA2ayzmcAxV4Abpmdb7x32 cifGs7NdKU2Z6Iley4bgxkGK474VPC2YTEw+ydTI1Vdu0qANhwnKskyZz0qtt9bisMz9 Zbgzb/JGPh2Sz9xCHaxWiYIoeHK0re3Bj7XuG+fNR804w0pZGK0UC9X2Ob+BT1JueGGE XxjZIPLjPQ/zcuttWRYV0vP8Z3EcnJGew4xYwSPUvzyG34Ei+k3BTYjbFYI4vTfAj9zN NgXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=4DkiMUnnNvikGvw8rTxvd7ZE/iSody6erSFXlld6vCw=; b=05qr9UWhaV0otZ4JEYCTAkHEWaCtINB9D8KsTzfCHrnMNvJPQ7iJ/b+YNKkzxgz0ys FRyY5e4EUYGW3ggY2Kfi5DYRErDM4UK/KAfDxIBh25aKpBjtsYy3uQbmMQ3NEBx1DU1q f5efVwvQ9e8Ba0a9vch9SZMGhO8GSyTkeiGqXfEbOv0q17hOvps/YkL3kDTgij1XLo7y PckezucLt3YzyOQJRCuSx1ynwBYlHN27LaRgzZbBuOoXHxQr4+75ZXlhyoGDkNudcds2 SsPbi3haPJXFBTsDnY1S94i1gAUZPCH4KqaDr6ZE2NBokmU8cO+KmN5YpPL1JARSvQou rY7w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w61-v6si15212846plb.502.2018.08.01.10.24.35; Wed, 01 Aug 2018 10:24:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406396AbeHATKA (ORCPT + 99 others); Wed, 1 Aug 2018 15:10:00 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50892 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389790AbeHATJ7 (ORCPT ); Wed, 1 Aug 2018 15:09:59 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 75F10CC3; Wed, 1 Aug 2018 17:23:17 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzkaller , Noa Osherovich , Leon Romanovsky , Jason Gunthorpe , Sudip Mukherjee Subject: [PATCH 4.14 227/246] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Date: Wed, 1 Aug 2018 18:52:17 +0200 Message-Id: <20180801165022.586543029@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit 940efcc8889f0d15567eb07fc9fd69b06e366aa5 upstream. Flows can be created on UD and RAW_PACKET QP types. Attempts to provide other QP types as an input causes to various unpredictable failures. The reason is that in order to support all various types (e.g. XRC), we are supposed to use real_qp handle and not qp handle and expect to driver/FW to fail such (XRC) flows. The simpler and safer variant is to ban all QP types except UD and RAW_PACKET, instead of relying on driver/FW. Cc: # 3.11 Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs") Cc: syzkaller Reported-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/uverbs_cmd.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3376,6 +3376,11 @@ int ib_uverbs_ex_create_flow(struct ib_u goto err_uobj; } + if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) { + err = -EINVAL; + goto err_put; + } + flow_attr = kzalloc(sizeof(*flow_attr) + cmd.flow_attr.num_of_specs * sizeof(union ib_flow_spec), GFP_KERNEL); if (!flow_attr) {