On Mon, Oct 30, 2017 at 10:24:35PM -0600, Jason Gunthorpe wrote:
> On Tue, Oct 31, 2017 at 03:16:42AM +0000, Parav Pandit wrote:
>
> > I am yet to review my below patch with Dan as he did most security
> > dev, but I suspect this might be the cause where rmpp list is not
> > initialized and mad processing is continued when security check
> > fails.
>
> This patch sure looks needed to me, ib_free_recv_mad touches
> rmpp_list, so if it needs initializion then it certainly has to be
> done earlier..
Right, it aligns with my analysis too.
>
> Adding the new return sure makes alot of sense as well..
>
> Hal, Ira, would you check this routine too? kernel oops's are bad..
>
> > diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
> > index f8f53bb..cb91245 100644
> > +++ b/drivers/infiniband/core/mad.c
> > @@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
> > unsigned long flags;
> > int ret;
> >
> > + INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
> > ret = ib_mad_enforce_security(mad_agent_priv,
> > mad_recv_wc->wc->pkey_index);
> > if (ret) {
> > ib_free_recv_mad(mad_recv_wc);
> > deref_mad_agent(mad_agent_priv);
> > + return;
> > }
> >
> > - INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
> > list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);
Attachment:
signature.asc
Description: PGP signature
