From: Bob Pearson <rpearsonhpe@gmail.com>
To: jgg@nvidia.com, zyjzyj2000@gmail.com, linux-rdma@vger.kernel.org
Cc: Bob Pearson <rpearsonhpe@gmail.com>
Subject: [PATCH for-next 4/6] RDMA/rxe: Fix over copying in get_srq_wqe
Date: Thu, 17 Jun 2021 23:57:41 -0500 [thread overview]
Message-ID: <20210618045742.204195-5-rpearsonhpe@gmail.com> (raw)
In-Reply-To: <20210618045742.204195-1-rpearsonhpe@gmail.com>
Currently get_srq_wqe() in rxe_resp.c copies the maximum possible number
of bytes from the wqe into the QPs copy of the SRQ wqe. This is usually
extra work and risks reading past the end of the SRQ circular buffer if
the SRQ is configured with less than the maximum possible number of SGEs.
Check the number of SGEs is not too large.
Compute the actual number of bytes in the WR and copy only those.
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
---
drivers/infiniband/sw/rxe/rxe_resp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index 5718c8bb28ac..93322d20c0ab 100644
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -296,6 +296,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp)
struct rxe_recv_wqe *wqe;
struct ib_event ev;
unsigned int count;
+ size_t size;
if (srq->error)
return RESPST_ERR_RNR;
@@ -311,8 +312,13 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp)
return RESPST_ERR_RNR;
}
- /* note kernel and user space recv wqes have same size */
- memcpy(&qp->resp.srq_wqe, wqe, sizeof(qp->resp.srq_wqe));
+ /* don't trust user space data */
+ if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) {
+ pr_warn("%s: invalid num_sge in SRQ entry\n", __func__);
+ return RESPST_ERR_MALFORMED_WQE;
+ }
+ size = sizeof(wqe) + wqe->dma.num_sge*sizeof(struct rxe_sge);
+ memcpy(&qp->resp.srq_wqe, wqe, size);
qp->resp.wqe = &qp->resp.srq_wqe.wqe;
if (qp->is_user) {
--
2.30.2
next prev parent reply other threads:[~2021-06-18 5:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-18 4:57 [PATCH for-next 0/6] Fix extra/redundant copies Bob Pearson
2021-06-18 4:57 ` [PATCH for-next 1/6] RDMA/rxe: Fix useless copy in send_atomic_ack Bob Pearson
2021-06-18 4:57 ` [PATCH for-next 2/6] RDMA/rxe: Fix redundant call to ip_send_check Bob Pearson
2021-06-18 4:57 ` [PATCH for-next 3/6] RDMA/rxe: Fix extra copies in build_rdma_network_hdr Bob Pearson
2021-06-18 4:57 ` Bob Pearson [this message]
2021-06-18 4:57 ` [PATCH for-next 5/6] RDMA/rxe: Fix extra copy in prepare_ack_packet Bob Pearson
2021-06-18 4:57 ` [PATCH for-next 6/6] RDMA/rxe: Fix redundant skb_put_zero Bob Pearson
2021-06-18 8:02 ` Zhu Yanjun
2021-06-18 15:32 ` Bob Pearson
2021-06-20 14:07 ` Zhu Yanjun
2021-06-20 20:21 ` Bob Pearson
2021-06-21 2:58 ` Zhu Yanjun
2021-06-22 18:40 ` [PATCH for-next 0/6] Fix extra/redundant copies Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210618045742.204195-5-rpearsonhpe@gmail.com \
--to=rpearsonhpe@gmail.com \
--cc=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.