RDMA/siw: bound Read Response placement to the RREAD length

In drivers/infiniband/sw/siw/siw_qp_rx.c, siw_proc_rresp() places each
inbound Read Response DDP segment at sge->laddr + wqe->processed and then
accumulates wqe->processed, but it never checks the running total against
the sink buffer length on continuation segments. siw_check_sge() resolves
and validates the sink memory only on the first fragment (the if (!*mem)
branch), and siw_rresp_check_ntoh() compares the cumulative length against
wqe->bytes only on the final segment (the !frx->more_ddp_segs guard).

A connected siw peer that answers an outstanding RREAD with Read Response
segments that keep the DDP Last flag clear, carrying more total payload
than the RREAD requested, drives wqe->processed past the validated sink
buffer; the next siw_rx_data() call writes out of bounds at
sge->laddr + wqe->processed. siw runs iWARP over ordinary routable TCP,
so the peer is the remote end of an established RDMA connection and needs
no local privilege.

Bound every segment before placement, exactly as siw_proc_send() and
siw_proc_write() already do for their tagged and untagged paths, and
terminate the connection with a base-or-bounds DDP error when the
Read Response would overrun the sink buffer.

This is the second receive-path length fix for this file. A separate
change rejects an MPA FPDU length that underflows the per-fragment
remainder in the header decode; that guard does not cover this case,
because here each individual segment length is self-consistent and only
the accumulated placement offset overruns the buffer.

Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
Link: https://patch.msgid.link/r/20260602194700.2273758-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c
index 34d03584160c2ff77e400599eec9afe20efafe1a..b566d163c5aabc780d2e29f5a28e5aae8def1306 100644 (file)
--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
@@ -844,6 +844,15 @@ int siw_proc_rresp(struct siw_qp *qp)
        }
        mem_p = *mem;
 
+       if (unlikely(wqe->processed + srx->fpdu_part_rem > wqe->bytes)) {
+               siw_dbg_qp(qp, "rresp len: %d + %d > %d\n",
+                          wqe->processed, srx->fpdu_part_rem, wqe->bytes);
+               wqe->wc_status = SIW_WC_LOC_LEN_ERR;
+               siw_init_terminate(qp, TERM_ERROR_LAYER_DDP,
+                                  DDP_ETYPE_TAGGED_BUF,
+                                  DDP_ECODE_T_BASE_BOUNDS, 0);
+               return -EINVAL;
+       }
        bytes = min(srx->fpdu_part_rem, srx->skb_new);
        rv = siw_rx_data(mem_p, srx, &frx->pbl_idx,
                         sge->laddr + wqe->processed, bytes);