From: Md Haris Iqbal haris.iqbal@ionos.com
mainline inclusion from mainline-v6.12-rc1 commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK0 CVE: CVE-2024-47695
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
-------------------------------------------------
In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num.
This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later.
Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Signed-off-by: Md Haris Iqbal haris.iqbal@ionos.com Signed-off-by: Jack Wang jinpu.wang@ionos.com Signed-off-by: Grzegorz Prajsner grzegorz.prajsner@ionos.com Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com Signed-off-by: Leon Romanovsky leon@kernel.org
Conflicts: drivers/infiniband/ulp/rtrs/rtrs-clt.c [Did not backport 9c29c8c7df068, caa84d95c78f3.] Signed-off-by: Liu Jian liujian56@huawei.com --- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c index e8b2b58cc9bc..83bf5451a1ae 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c @@ -2231,6 +2231,12 @@ static int init_conns(struct rtrs_clt_sess *sess) goto destroy; } } + + /* + * Set the cid to con_num - 1, since if we fail later, we want to stay in bounds. + */ + cid = sess->s.con_num - 1; + err = alloc_sess_reqs(sess); if (err) goto destroy;