1. 21 Sep, 2019 1 commit
  2. 25 Jul, 2019 1 commit
  3. 09 Jul, 2019 1 commit
    • Dag Moxnes's avatar
      RDMA/core: Fix race when resolving IP address · d8d9ec7d
      Dag Moxnes authored
      Use the neighbour lock when copying the MAC address from the neighbour
      data struct in dst_fetch_ha.
      
      When not using the lock, it is possible for the function to race with
      neigh_update(), causing it to copy an torn MAC address:
      
      rdma_resolve_addr()
        rdma_resolve_ip()
          addr_resolve()
            addr_resolve_neigh()
              fetch_ha()
                dst_fetch_ha()
      	     memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN)
      
      and
      
      net_ioctl()
        arp_ioctl()
          arp_rec_delete()
            arp_invalidate()
              neigh_update()
                __neigh_update()
      	    memcpy(&neigh->ha, lladdr, dev->addr_len)
      
      It is possible to provoke this error by calling rdma_resolve_addr() in a
      tight loop, while deleting the corresponding ARP entry in another tight
      loop.
      
      Fixes: 51d45974
      
       ("infiniband: addr: Consolidate code to fetch neighbour hardware address from dst.")
      Signed-off-by: default avatarDag Moxnes <dag.moxnes@oracle.com>
      Signed-off-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      d8d9ec7d
  4. 14 May, 2019 1 commit
  5. 03 May, 2019 1 commit
  6. 27 Apr, 2019 1 commit
    • Johannes Berg's avatar
      netlink: make validation more configurable for future strictness · 8cb08174
      Johannes Berg authored
      
      
      We currently have two levels of strict validation:
      
       1) liberal (default)
           - undefined (type >= max) & NLA_UNSPEC attributes accepted
           - attribute length >= expected accepted
           - garbage at end of message accepted
       2) strict (opt-in)
           - NLA_UNSPEC attributes accepted
           - attribute length >= expected accepted
      
      Split out parsing strictness into four different options:
       * TRAILING     - check that there's no trailing data after parsing
                        attributes (in message or nested)
       * MAXTYPE      - reject attrs > max known type
       * UNSPEC       - reject attributes with NLA_UNSPEC policy entries
       * STRICT_ATTRS - strictly validate attribute size
      
      The default for future things should be *everything*.
      The current *_strict() is a combination of TRAILING and MAXTYPE,
      and is renamed to _deprecated_strict().
      The current regular parsing has none of this, and is renamed to
      *_parse_deprecated().
      
      Additionally it allows us to selectively set one of the new flags
      even on old policies. Notably, the UNSPEC flag could be useful in
      this case, since it can be arranged (by filling in the policy) to
      not be an incompatible userspace ABI change, but would then going
      forward prevent forgetting attribute entries. Similar can apply
      to the POLICY flag.
      
      We end up with the following renames:
       * nla_parse           -> nla_parse_deprecated
       * nla_parse_strict    -> nla_parse_deprecated_strict
       * nlmsg_parse         -> nlmsg_parse_deprecated
       * nlmsg_parse_strict  -> nlmsg_parse_deprecated_strict
       * nla_parse_nested    -> nla_parse_nested_deprecated
       * nla_validate_nested -> nla_validate_nested_deprecated
      
      Using spatch, of course:
          @@
          expression TB, MAX, HEAD, LEN, POL, EXT;
          @@
          -nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
          +nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
      
          @@
          expression NLH, HDRLEN, TB, MAX, POL, EXT;
          @@
          -nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
          +nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
      
          @@
          expression NLH, HDRLEN, TB, MAX, POL, EXT;
          @@
          -nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
          +nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
      
          @@
          expression TB, MAX, NLA, POL, EXT;
          @@
          -nla_parse_nested(TB, MAX, NLA, POL, EXT)
          +nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
      
          @@
          expression START, MAX, POL, EXT;
          @@
          -nla_validate_nested(START, MAX, POL, EXT)
          +nla_validate_nested_deprecated(START, MAX, POL, EXT)
      
          @@
          expression NLH, HDRLEN, MAX, POL, EXT;
          @@
          -nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
          +nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
      
      For this patch, don't actually add the strict, non-renamed versions
      yet so that it breaks compile if I get it wrong.
      
      Also, while at it, make nla_validate and nla_parse go down to a
      common __nla_validate_parse() function to avoid code duplication.
      
      Ultimately, this allows us to have very strict validation for every
      new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
      next patch, while existing things will continue to work as is.
      
      In effect then, this adds fully strict validation for any new command.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cb08174
  7. 08 Apr, 2019 1 commit
  8. 29 Mar, 2019 1 commit
  9. 16 Oct, 2018 2 commits
  10. 04 Oct, 2018 1 commit
  11. 03 Oct, 2018 1 commit
  12. 19 Sep, 2018 1 commit
  13. 12 Sep, 2018 10 commits
  14. 06 Sep, 2018 1 commit
  15. 31 Jul, 2018 1 commit
  16. 29 Jun, 2018 1 commit
  17. 18 Apr, 2018 3 commits
  18. 29 Mar, 2018 1 commit
  19. 28 Mar, 2018 1 commit
    • Roland Dreier's avatar
      RDMA/ucma: Introduce safer rdma_addr_size() variants · 84652aef
      Roland Dreier authored
      
      
      There are several places in the ucma ABI where userspace can pass in a
      sockaddr but set the address family to AF_IB.  When that happens,
      rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
      and the ucma kernel code might end up copying past the end of a buffer
      not sized for a struct sockaddr_ib.
      
      Fix this by introducing new variants
      
          int rdma_addr_size_in6(struct sockaddr_in6 *addr);
          int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
      
      that are type-safe for the types used in the ucma ABI and return 0 if the
      size computed is bigger than the size of the type passed in.  We can use
      these new variants to check what size userspace has passed in before
      copying any addresses.
      
      Reported-by: <syzbot+6800425d54ed3ed8135d@syzkaller.appspotmail.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      84652aef
  20. 27 Mar, 2018 1 commit
    • Jason Gunthorpe's avatar
      RDMA/rdma_cm: Fix use after free race with process_one_req · 9137108c
      Jason Gunthorpe authored
      process_one_req() can race with rdma_addr_cancel():
      
                 CPU0                                 CPU1
                 ====                                 ====
       process_one_work()
        debug_work_deactivate(work);
        process_one_req()
                                              rdma_addr_cancel()
      	                                  mutex_lock(&lock);
       			    	           set_timeout(&req->work,..);
                                                    __queue_work()
      				   	       debug_work_activate(work);
      	                                  mutex_unlock(&lock);
      
         mutex_lock(&lock);
      [..]
      	list_del(&req->list);
         mutex_unlock(&lock);
      [..]
      
         // ODEBUG explodes since the work is still queued.
         kfree(req);
      
      Causing ODEBUG to detect the use after free:
      
      ODEBUG: free active (active state 0) object type: work_struct hint: process_one_req+0x0/0x6c0 include/net/dst.h:165
      WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 lib/debugobjects.c:288
      kvm: emulating exchange as write
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ib_addr process_one_req
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x24d lib/dump_stack.c:53
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1dc/0x200 kernel/panic.c:547
       report_bug+0x1f4/0x2b0 lib/bug.c:186
       fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
       fixup_bug arch/x86/kernel/traps.c:247 [inline]
       do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
       invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
      RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
      RSP: 0000:ffff8801d966f210 EFLAGS: 00010086
      RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815acd6e
      RDX: 0000000000000000 RSI: 1ffff1003b2cddf2 RDI: 0000000000000000
      RBP: ffff8801d966f250 R08: 0000000000000000 R09: 1ffff1003b2cddc8
      R10: ffffed003b2cde71 R11: ffffffff86f39a98 R12: 0000000000000001
      R13: ffffffff86f15540 R14: ffffffff86408700 R15: ffffffff8147c0a0
       __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
       debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
       kfree+0xc7/0x260 mm/slab.c:3799
       process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592
       process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
       worker_thread+0x223/0x1990 kernel/workqueue.c:2247
       kthread+0x33c/0x400 kernel/kthread.c:238
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
      
      Fixes: 5fff41e1
      
       ("IB/core: Fix race condition in resolving IP to MAC")
      Reported-by: <syzbot+3b4acab09b6463472d0a@syzkaller.appspotmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      9137108c
  21. 15 Mar, 2018 1 commit
  22. 28 Feb, 2018 1 commit
    • Muneendra Kumar M's avatar
      IB/core : Add null pointer check in addr_resolve · 4cd482c1
      Muneendra Kumar M authored
      dev_get_by_index is being called in addr_resolve
      function which returns NULL and NULL pointer access
      leads to kernel crash.
      
      Following call trace is observed while running
      rdma_lat test application
      
      [  146.173149] BUG: unable to handle kernel NULL pointer dereference
      at 00000000000004a0
      [  146.173198] IP: addr_resolve+0x9e/0x3e0 [ib_core]
      [  146.173221] PGD 0 P4D 0
      [  146.173869] Oops: 0000 [#1] SMP PTI
      [  146.182859] CPU: 8 PID: 127 Comm: kworker/8:1 Tainted: G  O 4.15.0-rc6+ #18
      [  146.183758] Hardware name: LENOVO System x3650 M5: -[8871AC1]-/01KN179,
       BIOS-[TCE132H-2.50]- 10/11/2017
      [  146.184691] Workqueue: ib_cm cm_work_handler [ib_cm]
      [  146.185632] RIP: 0010:addr_resolve+0x9e/0x3e0 [ib_core]
      [  146.186584] RSP: 0018:ffffc9000362faa0 EFLAGS: 00010246
      [  146.187521] RAX: 000000000000001b RBX: ffffc9000362fc08 RCX:
      0000000000000006
      [  146.188472] RDX: 0000000000000000 RSI: 0000000000000096 RDI
      : ffff88087fc16990
      [  146.189427] RBP: ffffc9000362fb18 R08: 00000000ffffff9d R09:
      00000000000004ac
      [  146.190392] R10: 00000000000001e7 R11: 0000000000000001 R12:
      ffff88086af2e090
      [  146.191361] R13: 0000000000000000 R14: 0000000000000001 R15:
      00000000ffffff9d
      [  146.192327] FS:  0000000000000000(0000) GS:ffff88087fc00000(0000)
      knlGS:0000000000000000
      [  146.193301] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  146.194274] CR2: 00000000000004a0 CR3: 000000000220a002 CR4:
      00000000003606e0
      [  146.195258] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [  146.196256] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
      0000000000000400
      [  146.197231] Call Trace:
      [  146.198209]  ? rdma_addr_register_client+0x30/0x30 [ib_core]
      [  146.199199]  rdma_resolve_ip+0x1af/0x280 [ib_core]
      [  146.200196]  rdma_addr_find_l2_eth_by_grh+0x154/0x2b0 [ib_core]
      
      The below patch adds the missing NULL pointer check
      returned by dev_get_by_index before accessing the netdev to
      avoid kernel crash.
      
      We observed the below crash when we try to do the below test.
      
       server                       client
       ---------                    ---------
       |1.1.1.1|<----rxe-channel--->|1.1.1.2|
       ---------                    ---------
      
      On server: rdma_lat -c -n 2 -s 1024
      On client:rdma_lat 1.1.1.1 -c -n 2 -s 1024
      
      Fixes: 20029832
      
       ("IB/core: Validate route when we init ah")
      Signed-off-by: default avatarMuneendra <muneendra.kumar@broadcom.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      4cd482c1
  23. 18 Dec, 2017 5 commits
  24. 13 Nov, 2017 1 commit