This is a note to let you know that I've just added the patch titled RDMA/ucma: Check that user doesn't overflow QP state to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro@xxxxxxxxxxxx> Date: Wed, 7 Mar 2018 18:49:16 +0200 Subject: RDMA/ucma: Check that user doesn't overflow QP state From: Leon Romanovsky <leonro@xxxxxxxxxxxx> commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. The QP state is limited and declared in enum ib_qp_state, but ucma user was able to supply any possible (u32) value. Reported-by: syzbot+0df1ab766f8924b1edba@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; + if (cmd.qp_state > IB_QPS_ERR) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx); Patches currently in stable-queue which might be from leonro@xxxxxxxxxxxx are queue-4.14/rdma-ucma-limit-possible-option-size.patch queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch