Re: 4.13 ib_mthca NULL pointer dereference with OpenSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/31/2017 7:49 AM, Hal Rosenstock wrote:
> On 10/31/2017 12:24 AM, Jason Gunthorpe wrote:
>> On Tue, Oct 31, 2017 at 03:16:42AM +0000, Parav Pandit wrote:
>>
>>> I am yet to review my below patch with Dan as he did most security
>>> dev, but I suspect this might be the cause where rmpp list is not
>>> initialized and mad processing is continued when security check
>>> fails.
>> This patch sure looks needed to me, ib_free_recv_mad touches
>> rmpp_list, so if it needs initializion then it certainly has to be
>> done earlier..
> Agreed.
>
>> Adding the new return sure makes alot of sense as well..
>>
>> Hal, Ira, would you check this routine too? kernel oops's are bad..
> Patch looks needed for just the point that Parav made above (that if
> security check fails, then ib_free_recv_mad will cause the
> mad_recv_wc->rmpp_list to be accessed so it needs to be initialized
> before security is enforced).

Agree the patch is needed regardless.

>
> I don't have mthca to try this. Maybe Chris can try this patch (with
> CONFIG_SECURITY_INFINIBAND=y).

Chris, are you running with SELinux enabled? If this addresses your issue it means permission is denied, so once the crash is resolved additional policy will be required in order for it to work as expected.

> -- Hal
>
>>> diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
>>> index f8f53bb..cb91245 100644
>>> +++ b/drivers/infiniband/core/mad.c
>>> @@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
>>>         unsigned long flags;
>>>         int ret;
>>>
>>> +       INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
>>>         ret = ib_mad_enforce_security(mad_agent_priv,
>>>                                       mad_recv_wc->wc->pkey_index);
>>>         if (ret) {
>>>                 ib_free_recv_mad(mad_recv_wc);
>>>                 deref_mad_agent(mad_agent_priv);
>>> +               return;
>>>         }
>>>
>>> -       INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
>>>         list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kernel.org%2Fmajordomo-info.html&data=02%7C01%7Cdanielj%40mellanox.com%7C0c1d5cc98d224d5f21ca08d5205dceb0%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636450509634819485&sdata=RANgNBE48saDXft%2BfCIIS3qWZT8PK5imlXnoCKnWdkU%3D&reserved=0
>>

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux