On 10/31/2017 12:24 AM, Jason Gunthorpe wrote:
> On Tue, Oct 31, 2017 at 03:16:42AM +0000, Parav Pandit wrote:
>
>> I am yet to review my below patch with Dan as he did most security
>> dev, but I suspect this might be the cause where rmpp list is not
>> initialized and mad processing is continued when security check
>> fails.
>
> This patch sure looks needed to me, ib_free_recv_mad touches
> rmpp_list, so if it needs initializion then it certainly has to be
> done earlier..
Agreed.
> Adding the new return sure makes alot of sense as well..
>
> Hal, Ira, would you check this routine too? kernel oops's are bad..
Patch looks needed for just the point that Parav made above (that if
security check fails, then ib_free_recv_mad will cause the
mad_recv_wc->rmpp_list to be accessed so it needs to be initialized
before security is enforced).
I don't have mthca to try this. Maybe Chris can try this patch (with
CONFIG_SECURITY_INFINIBAND=y).
-- Hal
>> diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
>> index f8f53bb..cb91245 100644
>> +++ b/drivers/infiniband/core/mad.c
>> @@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
>> unsigned long flags;
>> int ret;
>>
>> + INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
>> ret = ib_mad_enforce_security(mad_agent_priv,
>> mad_recv_wc->wc->pkey_index);
>> if (ret) {
>> ib_free_recv_mad(mad_recv_wc);
>> deref_mad_agent(mad_agent_priv);
>> + return;
>> }
>>
>> - INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
>> list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
