From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Sowmini Varadhan <sowmini.varadhan@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 09/79] rds: avoid potential stack overflow
Date: Tue, 24 Mar 2015 16:45:20 +0100 [thread overview]
Message-ID: <20150324154421.286989222@linuxfoundation.org> (raw)
In-Reply-To: <20150324154420.803073211@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit f862e07cf95d5b62a5fc5e981dd7d0dbaf33a501 ]
The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
on the stack in order to pass a pair of addresses. This happens to just
fit withint the 1024 byte stack size warning limit on x86, but just
exceed that limit on ARM, which gives us this warning:
net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
As the use of this large variable is basically bogus, we can rearrange
the code to not do that. Instead of passing an rds socket into
rds_iw_get_device, we now just pass the two addresses that we have
available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
to create two address structures on the stack there.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 18 deletions(-)
--- a/net/rds/iw_rdma.c
+++ b/net/rds/iw_rdma.c
@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg
int *unpinned);
static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
+ struct rds_iw_device **rds_iwdev,
+ struct rdma_cm_id **cm_id)
{
struct rds_iw_device *iwdev;
struct rds_iw_cm_id *i_cm_id;
@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_
src_addr->sin_port,
dst_addr->sin_addr.s_addr,
dst_addr->sin_port,
- rs->rs_bound_addr,
- rs->rs_bound_port,
- rs->rs_conn_addr,
- rs->rs_conn_port);
+ src->sin_addr.s_addr,
+ src->sin_port,
+ dst->sin_addr.s_addr,
+ dst->sin_port);
#ifdef WORKING_TUPLE_DETECTION
- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
- src_addr->sin_port == rs->rs_bound_port &&
- dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
- dst_addr->sin_port == rs->rs_conn_port) {
+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
+ src_addr->sin_port == src->sin_port &&
+ dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
+ dst_addr->sin_port == dst->sin_port) {
#else
/* FIXME - needs to compare the local and remote
* ipaddr/port tuple, but the ipaddr is the only
@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_
* zero'ed. It doesn't appear to be properly populated
* during connection setup...
*/
- if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
+ if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
#endif
spin_unlock_irq(&iwdev->spinlock);
*rds_iwdev = iwdev;
@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_de
{
struct sockaddr_in *src_addr, *dst_addr;
struct rds_iw_device *rds_iwdev_old;
- struct rds_sock rs;
struct rdma_cm_id *pcm_id;
int rc;
src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
- rs.rs_bound_addr = src_addr->sin_addr.s_addr;
- rs.rs_bound_port = src_addr->sin_port;
- rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
- rs.rs_conn_port = dst_addr->sin_port;
-
- rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
+ rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
if (rc)
rds_iw_remove_cm_id(rds_iwdev, cm_id);
@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *
struct rds_iw_device *rds_iwdev;
struct rds_iw_mr *ibmr = NULL;
struct rdma_cm_id *cm_id;
+ struct sockaddr_in src = {
+ .sin_addr.s_addr = rs->rs_bound_addr,
+ .sin_port = rs->rs_bound_port,
+ };
+ struct sockaddr_in dst = {
+ .sin_addr.s_addr = rs->rs_conn_addr,
+ .sin_port = rs->rs_conn_port,
+ };
int ret;
- ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
+ ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
if (ret || !cm_id) {
ret = -ENODEV;
goto out;
next prev parent reply other threads:[~2015-03-24 15:51 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-24 15:45 [PATCH 3.14 00/79] 3.14.37-stable review Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 02/79] sparc32: destroy_context() and switch_mm() needs to disable interrupts Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 03/79] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 04/79] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 05/79] sparc: perf: Make counting mode actually work Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 06/79] sparc: Touch NMI watchdog when walking cpus and calling printk Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 07/79] sparc64: Fix several bugs in memmove() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 08/79] net: sysctl_net_core: check SNDBUF and RCVBUF for min length Greg Kroah-Hartman
2015-03-24 15:45 ` Greg Kroah-Hartman [this message]
2015-03-24 15:45 ` [PATCH 3.14 10/79] inet_diag: fix possible overflow in inet_diag_dump_one_icsk() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 11/79] caif: fix MSG_OOB test in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 12/79] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 13/79] Revert "net: cx82310_eth: use common match macro" Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 14/79] ipv6: fix backtracking for throw routes Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 15/79] tcp: fix tcp fin memory accounting Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 16/79] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 17/79] tcp: make connect() mem charging friendly Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 19/79] drm/radeon: do a posting read in evergreen_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 20/79] drm/radeon: do a posting read in r100_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 21/79] drm/radeon: do a posting read in r600_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 22/79] drm/radeon: do a posting read in cik_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 23/79] drm/radeon: do a posting read in si_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 24/79] drm/radeon: do a posting read in rs600_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 25/79] drm/radeon: fix interlaced modes on DCE8 Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 27/79] LZ4 : fix the data abort issue Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 28/79] fuse: set stolen page uptodate Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 29/79] fuse: notify: dont move pages Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 30/79] console: Fix console name size mismatch Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 31/79] virtio_console: init work unconditionally Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 32/79] virtio_console: avoid config access from irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 33/79] Change email address for 8250_pci Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 34/79] can: add missing initialisations in CAN related skbuffs Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 35/79] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 36/79] cpuset: Fix cpuset sched_relax_domain_level Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 37/79] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 38/79] spi: atmel: Fix interrupt setup for PDC transfers Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 39/79] spi: pl022: Fix race in giveback() leading to driver lock-up Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 41/79] ALSA: control: Add sanity checks for user ctl id name string Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 42/79] ALSA: hda - Fix built-in mic on Compaq Presario CQ60 Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 43/79] ALSA: hda - Dont access stereo amps for mono channel widgets Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 44/79] ALSA: hda - Set single_adc_amp flag for CS420x codecs Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 45/79] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 46/79] ALSA: hda - Fix regression of HD-audio controller fallback modes Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 47/79] ALSA: hda - Treat stereo-to-mono mix properly Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.14 48/79] mtd: nand: pxa3xx: Fix PIO FIFO draining Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 49/79] bnx2x: Force fundamental reset for EEH recovery Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 50/79] regulator: Only enable disabled regulators on resume Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 51/79] regulator: core: Fix enable GPIO reference counting Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 52/79] nilfs2: fix deadlock of segment constructor during recovery Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 53/79] drm/vmwgfx: Reorder device takedown somewhat Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 54/79] xen/events: avoid NULL pointer dereference in dom0 on large machines Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 55/79] xen-pciback: limit guest control of command register Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 56/79] libsas: Fix Kernel Crash in smp_execute_task Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 57/79] pagemap: do not leak physical addresses to non-privileged userspace Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 58/79] crypto: arm/aes update NEON AES module to latest OpenSSL version Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 59/79] crypto: aesni - fix memory usage in GCM decryption Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 60/79] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 61/79] x86/fpu: Drop_fpu() should not assume that tsk equals current Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 62/79] x86/vdso: Fix the build on GCC5 Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 63/79] ipvs: add missing ip_vs_pe_put in sync code Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 64/79] ipvs: rerouting to local clients is not needed anymore Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 65/79] netfilter: nft_compat: fix module refcount underflow Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 66/79] netfilter: xt_socket: fix a stack corruption bug Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 67/79] ARM: imx6sl-evk: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 68/79] arm64: Honor __GFP_ZERO in dma allocations Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 69/79] ARM: imx6qdl-sabresd: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 70/79] ARM: at91: pm: fix at91rm9200 standby Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 71/79] ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 72/79] target: Fix reference leak in target_get_sess_cmd() error path Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 73/79] target: Fix virtual LUN=0 target_configure_device failure OOPs Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 74/79] iscsi-target: Avoid early conn_logout_comp for iser connections Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 75/79] target/pscsi: Fix NULL pointer dereference in get_device_type Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 76/79] target: Fix R_HOLDER bit usage for AllRegistrants Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 77/79] target: Avoid dropping AllRegistrants reservation during unregister Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 78/79] target: Allow AllRegistrants to re-RESERVE existing reservation Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.14 79/79] target: Allow Write Exclusive non-reservation holders to READ Greg Kroah-Hartman
2015-03-25 2:50 ` [PATCH 3.14 00/79] 3.14.37-stable review Guenter Roeck
2015-03-25 8:30 ` Greg Kroah-Hartman
2015-03-25 13:03 ` Guenter Roeck
2015-03-25 13:07 ` Guenter Roeck
2015-03-26 14:00 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150324154421.286989222@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sowmini.varadhan@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).