1 From a6544a624c3ff92a64e4aca3931fa064607bd3da Mon Sep 17 00:00:00 2001
2 From: Bart Van Assche <bart.vanassche@wdc.com>
3 Date: Thu, 1 Mar 2018 14:00:29 -0800
4 Subject: RDMA/rxe: Fix an out-of-bounds read
6 From: Bart Van Assche <bart.vanassche@wdc.com>
8 commit a6544a624c3ff92a64e4aca3931fa064607bd3da upstream.
10 This patch avoids that KASAN reports the following when the SRP initiator
11 calls srp_post_send():
13 ==================================================================
14 BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x5c4/0x980 [rdma_rxe]
15 Read of size 8 at addr ffff880066606e30 by task 02-mq/1074
17 CPU: 2 PID: 1074 Comm: 02-mq Not tainted 4.16.0-rc3-dbg+ #1
18 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
21 print_address_description+0x65/0x270
22 kasan_report+0x231/0x350
23 rxe_post_send+0x5c4/0x980 [rdma_rxe]
24 srp_post_send.isra.16+0x149/0x190 [ib_srp]
25 srp_queuecommand+0x94d/0x1670 [ib_srp]
26 scsi_dispatch_cmd+0x1c2/0x550 [scsi_mod]
27 scsi_queue_rq+0x843/0xa70 [scsi_mod]
28 blk_mq_dispatch_rq_list+0x143/0xac0
29 blk_mq_do_dispatch_ctx+0x1c5/0x260
30 blk_mq_sched_dispatch_requests+0x2bf/0x2f0
31 __blk_mq_run_hw_queue+0xdb/0x160
32 __blk_mq_delay_run_hw_queue+0xba/0x100
33 blk_mq_run_hw_queue+0xf2/0x190
34 blk_mq_sched_insert_request+0x163/0x2f0
35 blk_execute_rq+0xb0/0x130
36 scsi_execute+0x14e/0x260 [scsi_mod]
37 scsi_probe_and_add_lun+0x366/0x13d0 [scsi_mod]
38 __scsi_scan_target+0x18a/0x810 [scsi_mod]
39 scsi_scan_target+0x11e/0x130 [scsi_mod]
40 srp_create_target+0x1522/0x19e0 [ib_srp]
41 kernfs_fop_write+0x180/0x210
42 __vfs_write+0xb1/0x2e0
45 do_syscall_64+0xee/0x2b0
46 entry_SYSCALL_64_after_hwframe+0x42/0xb7
48 The buggy address belongs to the page:
49 page:ffffea0001998180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
50 flags: 0x4000000000000000()
51 raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
52 raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
53 page dumped because: kasan: bad access detected
55 Memory state around the buggy address:
56 ffff880066606d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
57 ffff880066606d80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2
58 >ffff880066606e00: f2 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00
60 ffff880066606e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
61 ffff880066606f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
62 ==================================================================
64 Fixes: 8700e3e7c485 ("Soft RoCE driver")
65 Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
66 Cc: Moni Shoua <monis@mellanox.com>
67 Cc: stable@vger.kernel.org
68 Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
69 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
72 drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++---
73 1 file changed, 2 insertions(+), 3 deletions(-)
75 --- a/drivers/infiniband/sw/rxe/rxe_verbs.c
76 +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
77 @@ -711,9 +711,8 @@ static int init_send_wqe(struct rxe_qp *
78 memcpy(wqe->dma.sge, ibwr->sg_list,
79 num_sge * sizeof(struct ib_sge));
81 - wqe->iova = (mask & WR_ATOMIC_MASK) ?
82 - atomic_wr(ibwr)->remote_addr :
83 - rdma_wr(ibwr)->remote_addr;
84 + wqe->iova = mask & WR_ATOMIC_MASK ? atomic_wr(ibwr)->remote_addr :
85 + mask & WR_READ_OR_WRITE_MASK ? rdma_wr(ibwr)->remote_addr : 0;
87 wqe->dma.length = length;
88 wqe->dma.resid = length;
projects / thirdparty / kernel / stable-queue.git / blob