This is a note to let you know that I've just added the patch titled
RDMA/ucma: Check that user doesn't overflow QP state
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001
From: Leon Romanovsky leonro@mellanox.com Date: Wed, 7 Mar 2018 18:49:16 +0200 Subject: RDMA/ucma: Check that user doesn't overflow QP state
From: Leon Romanovsky leonro@mellanox.com
commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream.
The QP state is limited and declared in enum ib_qp_state, but ucma user was able to supply any possible (u32) value.
Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT;
+ if (cmd.qp_state > IB_QPS_ERR) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx);
Patches currently in stable-queue which might be from leonro@mellanox.com are
queue-4.14/rdma-ucma-limit-possible-option-size.patch queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch