]>
Commit | Line | Data |
---|---|---|
c302c12c GKH |
1 | From 2a78cb4db487372152bed2055c038f9634d595e8 Mon Sep 17 00:00:00 2001 |
2 | From: Bart Van Assche <bart.vanassche@wdc.com> | |
3 | Date: Thu, 1 Mar 2018 14:00:30 -0800 | |
4 | Subject: IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() | |
5 | ||
6 | From: Bart Van Assche <bart.vanassche@wdc.com> | |
7 | ||
8 | commit 2a78cb4db487372152bed2055c038f9634d595e8 upstream. | |
9 | ||
10 | Avoid triggering an out-of-bounds stack access by changing the type | |
11 | of 'wr' from ib_send_wr into ib_rdma_wr. | |
12 | ||
13 | This patch fixes the following KASAN bug report: | |
14 | ||
15 | BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x7a9/0x9a0 [rdma_rxe] | |
16 | Read of size 8 at addr ffff880068197a48 by task kworker/2:1/44 | |
17 | ||
18 | Workqueue: ib_cm cm_work_handler [ib_cm] | |
19 | Call Trace: | |
20 | dump_stack+0x8e/0xcd | |
21 | print_address_description+0x6f/0x280 | |
22 | kasan_report+0x25a/0x380 | |
23 | __asan_load8+0x54/0x90 | |
24 | rxe_post_send+0x7a9/0x9a0 [rdma_rxe] | |
25 | srpt_zerolength_write+0xf0/0x180 [ib_srpt] | |
26 | srpt_cm_rtu_recv+0x68/0x110 [ib_srpt] | |
27 | srpt_rdma_cm_handler+0xbb/0x15b [ib_srpt] | |
28 | cma_ib_handler+0x1aa/0x4a0 [rdma_cm] | |
29 | cm_process_work+0x30/0x100 [ib_cm] | |
30 | cm_work_handler+0xa86/0x351b [ib_cm] | |
31 | process_one_work+0x475/0x9f0 | |
32 | worker_thread+0x69/0x690 | |
33 | kthread+0x1ad/0x1d0 | |
34 | ret_from_fork+0x3a/0x50 | |
35 | ||
36 | Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") | |
37 | Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> | |
38 | Cc: Christoph Hellwig <hch@lst.de> | |
39 | Cc: stable@vger.kernel.org | |
40 | Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> | |
41 | Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> | |
42 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
43 | --- | |
44 | drivers/infiniband/ulp/srpt/ib_srpt.c | 15 +++++++++------ | |
45 | 1 file changed, 9 insertions(+), 6 deletions(-) | |
46 | ||
47 | --- a/drivers/infiniband/ulp/srpt/ib_srpt.c | |
48 | +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c | |
49 | @@ -787,13 +787,16 @@ static int srpt_post_recv(struct srpt_de | |
50 | */ | |
51 | static int srpt_zerolength_write(struct srpt_rdma_ch *ch) | |
52 | { | |
53 | - struct ib_send_wr wr, *bad_wr; | |
54 | + struct ib_send_wr *bad_wr; | |
55 | + struct ib_rdma_wr wr = { | |
56 | + .wr = { | |
57 | + .opcode = IB_WR_RDMA_WRITE, | |
58 | + .wr_cqe = &ch->zw_cqe, | |
59 | + .send_flags = IB_SEND_SIGNALED, | |
60 | + } | |
61 | + }; | |
62 | ||
63 | - memset(&wr, 0, sizeof(wr)); | |
64 | - wr.opcode = IB_WR_RDMA_WRITE; | |
65 | - wr.wr_cqe = &ch->zw_cqe; | |
66 | - wr.send_flags = IB_SEND_SIGNALED; | |
67 | - return ib_post_send(ch->qp, &wr, &bad_wr); | |
68 | + return ib_post_send(ch->qp, &wr.wr, &bad_wr); | |
69 | } | |
70 | ||
71 | static void srpt_zerolength_write_done(struct ib_cq *cq, struct ib_wc *wc) |