IB/uverbs: Fix possible oops with duplicate ioctl attributes

If the same attribute is listed twice by the user in the ioctl attribute list then error unwind can cause the kernel to deref garbage. This happens when an object with WRITE access is sent twice. The second parse properly fails but corrupts the state required for the error unwind it triggers. Fixing this by making duplicates in the attribute list invalid. This is not something we need to support. The ioctl interface is currently recommended to be disabled in kConfig. Signed-off-by: Matan Barak <[email protected]> Signed-off-by: Leon Romanovsky <[email protected]> Signed-off-by: Jason Gunthorpe <[email protected]>
author: Matan Barak <[email protected]> 2018-02-13 12:18:35 +0200
committer: Jason Gunthorpe <[email protected]> 2018-02-15 14:59:46 -0700
commit: 4d39a959bc1f3d164b5a54147fdeb19f84b1ed58 (patch)
tree: 394a96ddf6867a6435398f840d310802fc4a0bbb
parent: 9dfb2ff400f6c0a52f63014b5331b64ee7bd5c19 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/infiniband/core/uverbs_ioctl.c b/drivers/infiniband/core/uverbs_ioctl.c
index d96dc1d17be1..339b85145044 100644
--- a/drivers/infiniband/core/uverbs_ioctl.c
+++ b/drivers/infiniband/core/uverbs_ioctl.c
@@ -59,6 +59,9 @@ static int uverbs_process_attr(struct ib_device *ibdev,
 			return 0;
 	}
 
+	if (test_bit(attr_id, attr_bundle_h->valid_bitmap))
+		return -EINVAL;
+
 	spec = &attr_spec_bucket->attrs[attr_id];
 	e = &elements[attr_id];
 	e->uattr = uattr_ptr;
author	Matan Barak <[email protected]>	2018-02-13 12:18:35 +0200
committer	Jason Gunthorpe <[email protected]>	2018-02-15 14:59:46 -0700
commit	4d39a959bc1f3d164b5a54147fdeb19f84b1ed58 (patch)
tree	394a96ddf6867a6435398f840d310802fc4a0bbb
parent	9dfb2ff400f6c0a52f63014b5331b64ee7bd5c19 (diff)