From: Roland Dreier <roland@xxxxxxxxxxxxxxx> Check to make sure that ctx->cm_id->device is set before we use it. Otherwise userspace can trigger a NULL dereference by doing RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device. Reported-by: syzbot+a67bc93e14682d92fc2f@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Roland Dreier <roland@xxxxxxxxxxxxxxx> --- #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v4.16 drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index d933336d7e01..5c21ae237f82 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1241,6 +1241,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, if (!optlen) return -EINVAL; + if (!ctx->cm_id->device) + return -EINVAL; + memset(&sa_path, 0, sizeof(sa_path)); sa_path.rec_type = SA_PATH_REC_TYPE_IB; -- 2.15.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
