From: Douglas Miller <doug.miller@cornelisnetworks.com> stable inclusion from stable-v4.19.247 commit 0e4dda8b3f4c07ee9ea670a10ea3171a5e63a86f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP1HF CVE: CVE-2022-49429 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 629e052d0c98e46dde9f0824f0aa437f678d9b8f ] If the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to hfi1_write_iter() will dereference a NULL pointer and panic. A typical stack frame is: sdma_select_user_engine [hfi1] hfi1_user_sdma_process_request [hfi1] hfi1_write_iter [hfi1] do_iter_readv_writev do_iter_write vfs_writev do_writev do_syscall_64 The fix is to test for SDMA in hfi1_write_iter() and fail the I/O with EINVAL. Link: https://lore.kernel.org/r/20220520183706.48973.79803.stgit@awfm-01.cornelisn... Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com> Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/infiniband/hw/hfi1/file_ops.c [Yongqiang: fix context conflict] Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> Reviewed-by: Zhang Changzhong <zhangchangzhong@huaiwei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> --- drivers/infiniband/hw/hfi1/file_ops.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c index 499bfae098c2..da8d871fe334 100644 --- a/drivers/infiniband/hw/hfi1/file_ops.c +++ b/drivers/infiniband/hw/hfi1/file_ops.c @@ -306,6 +306,9 @@ static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from) int done = 0, reqs = 0; unsigned long dim = from->nr_segs; + if (!HFI1_CAP_IS_KSET(SDMA)) + return -EINVAL; + if (!cq || !pq) return -EIO; -- 2.34.1