All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: [PATCH v1 05/11] svcrdma: Prevent a UAF in svc_rdma_send()
Date: Mon, 29 Jan 2024 09:51:02 -0500	[thread overview]
Message-ID: <170653986273.24162.4447192396691167938.stgit@manet.1015granger.net> (raw)
In-Reply-To: <170653967395.24162.4661804176845293777.stgit@manet.1015granger.net>

From: Chuck Lever <chuck.lever@oracle.com>

In some error flow cases, svc_rdma_wc_send() releases @ctxt. Copy
the sc_cid field in @ctxt to a stack variable in order to guarantee
that the value is available after the ib_post_send() call.

In case the new comment looks a little strange, this will be done
with at least one more field in a subsequent patch.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_sendto.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
index f1f5c7b58fce..b6fc9299b472 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
@@ -316,12 +316,17 @@ static void svc_rdma_wc_send(struct ib_cq *cq, struct ib_wc *wc)
  * @rdma: transport on which to post the WR
  * @ctxt: send ctxt with a Send WR ready to post
  *
+ * Copy fields in @ctxt to stack variables in order to guarantee
+ * that these values remain available after the ib_post_send() call.
+ * In some error flow cases, svc_rdma_wc_send() releases @ctxt.
+ *
  * Returns zero if the Send WR was posted successfully. Otherwise, a
  * negative errno is returned.
  */
 int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 {
 	struct ib_send_wr *wr = &ctxt->sc_send_wr;
+	struct rpc_rdma_cid cid = ctxt->sc_cid;
 	int ret;
 
 	might_sleep();
@@ -337,12 +342,12 @@ int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 		if ((atomic_dec_return(&rdma->sc_sq_avail) < 0)) {
 			svc_rdma_wake_send_waiters(rdma, 1);
 			percpu_counter_inc(&svcrdma_stat_sq_starve);
-			trace_svcrdma_sq_full(rdma, &ctxt->sc_cid);
+			trace_svcrdma_sq_full(rdma, &cid);
 			wait_event(rdma->sc_send_wait,
 				   atomic_read(&rdma->sc_sq_avail) > 0);
 			if (test_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags))
 				return -ENOTCONN;
-			trace_svcrdma_sq_retry(rdma, &ctxt->sc_cid);
+			trace_svcrdma_sq_retry(rdma, &cid);
 			continue;
 		}
 
@@ -353,7 +358,7 @@ int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 		return 0;
 	}
 
-	trace_svcrdma_sq_post_err(rdma, &ctxt->sc_cid, ret);
+	trace_svcrdma_sq_post_err(rdma, &cid, ret);
 	svc_xprt_deferred_close(&rdma->sc_xprt);
 	svc_rdma_wake_send_waiters(rdma, 1);
 	return ret;



  parent reply	other threads:[~2024-01-29 14:51 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-29 14:50 [PATCH v1 00/11] NFSD RDMA transport improvements Chuck Lever
2024-01-29 14:50 ` [PATCH v1 01/11] svcrdma: Reserve an extra WQE for ib_drain_rq() Chuck Lever
2024-01-29 14:50 ` [PATCH v1 02/11] svcrdma: Use all allocated Send Queue entries Chuck Lever
2024-01-29 17:26   ` Chuck Lever
2024-01-29 14:50 ` [PATCH v1 03/11] svcrdma: Increase the per-transport rw_ctx count Chuck Lever
2024-01-29 14:50 ` [PATCH v1 04/11] svcrdma: Fix SQ wake-ups Chuck Lever
2024-01-29 14:51 ` Chuck Lever [this message]
2024-01-29 14:51 ` [PATCH v1 06/11] svcrdma: Fix retry loop in svc_rdma_send() Chuck Lever
2024-01-29 14:51 ` [PATCH v1 07/11] svcrdma: Post Send WR chain Chuck Lever
2024-01-29 14:51 ` [PATCH v1 08/11] svcrdma: Move write_info for Reply chunks into struct svc_rdma_send_ctxt Chuck Lever
2024-01-29 14:51 ` [PATCH v1 09/11] svcrdma: Post the Reply chunk and Send WR together Chuck Lever
2024-01-29 14:51 ` [PATCH v1 10/11] svcrdma: Post WRs for Write chunks in svc_rdma_sendto() Chuck Lever
2024-01-29 14:51 ` [PATCH v1 11/11] svcrdma: Add Write chunk WRs to the RPC's Send WR chain Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=170653986273.24162.4447192396691167938.stgit@manet.1015granger.net \
    --to=cel@kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.