From patchwork Thu Jan 21 13:41:31 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Wan, Kaike" <kaike.wan@intel.com>
X-Patchwork-Id: 8081111
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id AC096BEEE5
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 21 Jan 2016 13:41:59 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id AC3F920502
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 21 Jan 2016 13:41:58 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CCAFF204FC
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu, 21 Jan 2016 13:41:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759529AbcAUNlz (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Thu, 21 Jan 2016 08:41:55 -0500
Received: from mga04.intel.com ([192.55.52.120]:7122 "EHLO mga04.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1759002AbcAUNlx (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Thu, 21 Jan 2016 08:41:53 -0500
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga104.fm.intel.com with ESMTP; 21 Jan 2016 05:41:53 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.22,325,1449561600"; d="scan'208";a="898099178"
Received: from phlsvsds.ph.intel.com ([10.228.195.38])
	by fmsmga002.fm.intel.com with ESMTP; 21 Jan 2016 05:41:50 -0800
Received: from phlsvsds.ph.intel.com (localhost.localdomain [127.0.0.1])
	by phlsvsds.ph.intel.com (8.13.8/8.13.8) with ESMTP id u0LDfmId002341;
	Thu, 21 Jan 2016 08:41:49 -0500
Received: (from kaikewan@localhost)
	by phlsvsds.ph.intel.com (8.13.8/8.13.8/Submit) id u0LDfkDD002338;
	Thu, 21 Jan 2016 08:41:46 -0500
X-Authentication-Warning: phlsvsds.ph.intel.com: kaikewan set sender to
	kaike.wan@intel.com using -f
From: kaike.wan@intel.com
To: linux-rdma@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiederm@xmission.com,
	richard.weinberger@gmail.com, davem@davemloft.net, tgraf@suug.ch,
	daniel@iogearbox.net, chamaken@gmail.com,
	nicolas.dichtel@6wind.com, fw@strlen.de,
	syzkaller@googlegroups.com, kcc@google.com, glider@google.com,
	sasha.levin@oracle.com, edumazet@google.com, dvyukov@google.com,
	Kaike Wan <kaike.wan@intel.com>
Subject: [PATCH 1/1] IB/sa: Fix netlink local service GFP crash
Date: Thu, 21 Jan 2016 08:41:31 -0500
Message-Id: <1453383691-2306-1-git-send-email-kaike.wan@intel.com>
X-Mailer: git-send-email 1.7.1
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Kaike Wan <kaike.wan@intel.com>

The rdma netlink local service registers a handler to handle RESOLVE
response and another handler to handle SET_TIMEOUT request. The first
thing these handlers do is to call netlink_capable() to check the
access right of the received skb to make sure that the sender has root
access. Under normal conditions, such responses and requests will be
directly forwarded to the handlers without going through the netlink_dump
pathway (see ibnl_rcv_msg() in drivers/infiniband/core/netlink.c).
However, a user application could send a RESOLVE request (not response)
to the local service, which will fall into the netlink_dump pathway,
where a new skb will be created without initializing the control block.
This new skb will be eventually forwarded to the local service RESOLVE
response handler. Unfortunately, netlink_capable() will cause general
protection fault if the skb's control block is not initialized. This
patch will address the problem by checking the skb first.

Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
---
 drivers/infiniband/core/sa_query.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c
index 1f91b6e..f334090 100644
--- a/drivers/infiniband/core/sa_query.c
+++ b/drivers/infiniband/core/sa_query.c
@@ -717,7 +717,9 @@ static int ib_nl_handle_set_timeout(struct sk_buff *skb,
 	struct nlattr *tb[LS_NLA_TYPE_MAX];
 	int ret;
 
-	if (!netlink_capable(skb, CAP_NET_ADMIN))
+	if (!(nlh->nlmsg_flags & NLM_F_REQUEST) ||
+	    !(NETLINK_CB(skb).sk) ||
+	    !netlink_capable(skb, CAP_NET_ADMIN))
 		return -EPERM;
 
 	ret = nla_parse(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
@@ -791,7 +793,9 @@ static int ib_nl_handle_resolve_resp(struct sk_buff *skb,
 	int found = 0;
 	int ret;
 
-	if (!netlink_capable(skb, CAP_NET_ADMIN))
+	if ((nlh->nlmsg_flags & NLM_F_REQUEST) ||
+	    !(NETLINK_CB(skb).sk) ||
+	    !netlink_capable(skb, CAP_NET_ADMIN))
 		return -EPERM;
 
 	spin_lock_irqsave(&ib_nl_request_lock, flags);