Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3760471pxk; Tue, 29 Sep 2020 05:44:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzEn222KeioHsbNXukEmc3XHHbupWmwgLu8PmdtyqgJgqvczi8YHFuQ8NawBX0y7udDO21l X-Received: by 2002:a17:906:719a:: with SMTP id h26mr3763892ejk.336.1601383462404; Tue, 29 Sep 2020 05:44:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601383462; cv=none; d=google.com; s=arc-20160816; b=plNf8hs1GEAlEgWlbz9OOajR0kkcS+88YlqbFul6JfrFP8R6Qwp9qhTIvs4BWf1LwV m2OVpYx4uraCi5cvKgK/AiDRbOMrkBJn4sV+YgxPyuhS+6icWRc8pr9BuN+7SFUTI0TV /AzL3MIYsYqXIh0yDH/0mpd8HVGm2ySiNf34vHs7wmWBwHJ75eXefnuE3sDpXmg/1ls/ CQqKl9lfeWRtQBDbvtd29t4GRdL164JP1ExYzgPA7dLQqigGuztz2MfhjEGZZ7wIL6zu TLTEHdVOq+TmVF4WWLPP45Nxo8omYsalEfF26H6qH7l44x1vXA5Z2cG27A40PdFE58DA AdaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6DyBvh5iLosIA4mwhrW+5UsIqSezXKG5PdP0U22X17A=; b=yaOvJKEspuh+dwselDA0mhPUM1Vc9DW3Z869mStEJkHA3y3akpSC7WESmvgvyoKV7S KHJ4kEmsdPjDi1Bq3poSLiNNIcP9stUOiSbQzSmx9nOgjwtdWxgoZnB98L/KGasORhcF gl730FLjWBRVjzi7OuqDzEWAkAO1qSOGl411xc8uegSgcGz6aZynh8qLX5DhafH8O9Rt pl7So/aIRYo7yNAyCggWyqShaxbW7N7SiI+dQWrtztArUbs9+9Wp1pA4hnQFhg5W5t97 ni6hH1FTn5QBcPrdrZl8rPGkMRuse1F9ia4OAr4EkO+Zr0L6n62ZDjii0B0v/lYw1vKg oHDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hapPsaMx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g8si2754903edw.77.2020.09.29.05.43.59; Tue, 29 Sep 2020 05:44:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hapPsaMx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732789AbgI2Mlf (ORCPT + 99 others); Tue, 29 Sep 2020 08:41:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:55400 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728629AbgI2LNM (ORCPT ); Tue, 29 Sep 2020 07:13:12 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 15907208FE; Tue, 29 Sep 2020 11:13:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601377991; bh=R7udU7qjbVJXNkZIZ23f31Yog5VwT1i1S/jbgDaczaA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hapPsaMxQIOnsws92/fWUuoI77MNcd4IQpHjfrZWAjDOTiLUeJrUODgWw7LTFi2Ho dPeeRBGqg/zns8m8DBFMpJM1o0kOFS5yo7mHphZkz+uncoPFCLxTzwcIqOpcKjuylV gv1awv09PEJ3Qu2jqBxWQwT+gA8cNCFsnlFfgGSs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shamir Rabinovitch , Leon Romanovsky , Jason Gunthorpe , "Nobuhiro Iwamatsu (CIP)" , Sasha Levin Subject: [PATCH 4.14 006/166] RDMA/ucma: ucma_context reference leak in error path Date: Tue, 29 Sep 2020 12:58:38 +0200 Message-Id: <20200929105935.510507124@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929105935.184737111@linuxfoundation.org> References: <20200929105935.184737111@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Shamir Rabinovitch commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream. Validating input parameters should be done before getting the cm_id otherwise it can leak a cm_id reference. Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") Signed-off-by: Shamir Rabinovitch Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe [iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context] Signed-off-by: Nobuhiro Iwamatsu (CIP) Signed-off-by: Sasha Levin --- drivers/infiniband/core/ucma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct uc if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; + if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx); - if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) - return -EINVAL; - optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) {