From patchwork Tue Sep 29 10:59:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 263411 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB56DC4727F for ; Tue, 29 Sep 2020 11:03:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 83D5921D43 for ; Tue, 29 Sep 2020 11:03:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601377430; bh=KzL3UvGrZD1l0U50mqGd94n3Rav+iKUimbADn3+1D/Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Y68HsdureaJQmSISbMulKSLBeBu1aQVkG8w4/MUNjjVOgzu1PlZj2VAOgbDw8AOQw /RrMcSAietuAu/9MaL88cXm9xWs/6Va/IE3nJxh/utnbsTbI7APqmpeU74VP+1aByU eDe62kfzJSelJwS33ZOoSuO/LADKVOdAtzKKkKFM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728487AbgI2LDn (ORCPT ); Tue, 29 Sep 2020 07:03:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:39548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728474AbgI2LDm (ORCPT ); Tue, 29 Sep 2020 07:03:42 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3695C20C09; Tue, 29 Sep 2020 11:03:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601377421; bh=KzL3UvGrZD1l0U50mqGd94n3Rav+iKUimbADn3+1D/Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zOR71EwVvSs7pScJEKooz8Y6OqdPP4tAbBswdp8n1+elHM0h5MyZZYmscAfsrkFbH Sp7HY+6G27dDS8uxQ5vf0KNSk1dfKeLnU78DME3w6uTc/EAvBn0Tu/WZDxiUImdWhK IJh97zD1e6zgKYW44qOMSQtxeZuzct4CAjsbj39g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shamir Rabinovitch , Leon Romanovsky , Jason Gunthorpe , "Nobuhiro Iwamatsu (CIP)" , Sasha Levin Subject: [PATCH 4.4 05/85] RDMA/ucma: ucma_context reference leak in error path Date: Tue, 29 Sep 2020 12:59:32 +0200 Message-Id: <20200929105928.479979630@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929105928.198942536@linuxfoundation.org> References: <20200929105928.198942536@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shamir Rabinovitch commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream. Validating input parameters should be done before getting the cm_id otherwise it can leak a cm_id reference. Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") Signed-off-by: Shamir Rabinovitch Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe [iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context] Signed-off-by: Nobuhiro Iwamatsu (CIP) Signed-off-by: Sasha Levin --- drivers/infiniband/core/ucma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index 3e4d3d5560bf1..6315f77b4a58c 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1295,13 +1295,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; + if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx); - if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) - return -EINVAL; - optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) {