On Wed, Dec 02, 2020 at 11:20:09AM -0600, Shiraz Saleem wrote: > From: "Saleem, Shiraz" <shiraz.saleem@xxxxxxxxx> > > backport of commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream. > > i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap > vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range > without any validation. This is vulnerable to an mmap exploit as described > in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@xxxxxxxxxx > > The push feature is disabled in the driver currently and therefore no push > mmaps are issued from user-space. The feature does not work as expected in > the x722 product. > > Remove the push module parameter and all VMA attribute manipulations for > this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user > mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound > to a single page. > > Fixes: d37498417947 ("i40iw: add files for iwarp interface") > Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@xxxxxxxxx > Reported-by: Di Zhu <zhudi21@xxxxxxxxxx> > Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx> > --- > drivers/infiniband/hw/i40iw/i40iw_main.c | 5 ----- > drivers/infiniband/hw/i40iw/i40iw_verbs.c | 36 ++++++------------------------- > 2 files changed, 7 insertions(+), 34 deletions(-) All backports now queued up, thanks. greg k-h
