This is a note to let you know that I've just added the patch titled
RDMA/ucma: Check that user doesn't overflow QP state
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001
From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Date: Wed, 7 Mar 2018 18:49:16 +0200
Subject: RDMA/ucma: Check that user doesn't overflow QP state
From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream.
The QP state is limited and declared in enum ib_qp_state,
but ucma user was able to supply any possible (u32) value.
Reported-by: syzbot+0df1ab766f8924b1edba@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/infiniband/core/ucma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
+ if (cmd.qp_state > IB_QPS_ERR)
+ return -EINVAL;
+
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
Patches currently in stable-queue which might be from leonro@xxxxxxxxxxxx are
queue-4.14/rdma-ucma-limit-possible-option-size.patch
queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch
queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch