[PATCH openEuler-1.0-LTS 4/6] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"

28 Apr 2023

From: Parav Pandit parav@mellanox.com
mainline inclusion
from mainline-v5.6-rc5
commit e4103312d7b7afb8a3a7a842a33ef2b1856b2c0f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6X49E
CVE: CVE-2023-2176
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
---------------------------
This reverts commit 219d2e9dfda9431b808c28d5efc74b404b95b638.
The call chain below requires the cm_id_priv's destination address to be
setup before performing rdma_bind_addr(). Otherwise source port allocation
fails as cma_port_is_unique() no longer sees the correct tuple to allow
duplicate users of the source port.
rdma_resolve_addr()
  cma_bind_addr()
    rdma_bind_addr()
      cma_get_port()
        cma_alloc_any_port()
          cma_port_is_unique() <- compared with zero daddr
This can result in false failures to connect, particularly if the source
port range is restricted.
Fixes: 219d2e9dfda9 ("RDMA/cma: Simplify rdma_resolve_addr() error flow")
Link: https://lore.kernel.org/r/20200212072635.682689-4-leon@kernel.org
Signed-off-by: Parav Pandit parav@mellanox.com
Signed-off-by: Leon Romanovsky leonro@mellanox.com
Signed-off-by: Jason Gunthorpe jgg@mellanox.com
(cherry picked from commit e4103312d7b7afb8a3a7a842a33ef2b1856b2c0f)
Signed-off-by: Liu Jian liujian56@huawei.com
Conflicts:
    drivers/infiniband/core/cma.c
Reviewed-by: Yue Haibing yuehaibing@huawei.com
Reviewed-by: Wang Weiyang wangweiyang2@huawei.com
Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com
---
 drivers/infiniband/core/cma.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 319bfef00a4a..db5d4290de2b 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2997,19 +2997,26 @@ int rdma_resolve_addr(struct rdma_cm_id *id, struct sockaddr *src_addr,
    int ret;
id_priv = container_of(id, struct rdma_id_private, id);
+	memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr));
    if (id_priv->state == RDMA_CM_IDLE) {
    	ret = cma_bind_addr(id, src_addr, dst_addr);
-		if (ret)
+		if (ret) {
+			memset(cma_dst_addr(id_priv), 0,
+			       rdma_addr_size(dst_addr));
    		return ret;
+		}
    }
-	if (cma_family(id_priv) != dst_addr->sa_family)
+	if (cma_family(id_priv) != dst_addr->sa_family) {
+		memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr));
    	return -EINVAL;
+	}
-	if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY))
+	if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) {
+		memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr));
    	return -EINVAL;
+	}
-	memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr));
    atomic_inc(&id_priv->refcount);
    if (cma_any_addr(dst_addr)) {
    	ret = cma_resolve_loopback(id_priv);
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS 4/6] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"