2023-02-27 09:48:35

by Daniil Dulov

[permalink] [raw]
Subject: [PATCH] RDMA/siw: Fix potential page_array out of range access

When seg is equal to MAX_ARRAY, the loop should break, otherwise
it will result in out of range access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
Signed-off-by: Daniil Dulov <[email protected]>
---
drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c
index 3c3ae5ef2942..f9eb314c6e14 100644
--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
@@ -548,7 +548,7 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct socket *s)
data_len -= plen;
fp_off = 0;

- if (++seg > (int)MAX_ARRAY) {
+ if (++seg == (int)MAX_ARRAY) {
siw_dbg_qp(tx_qp(c_tx), "to many fragments\n");
siw_unmap_pages(page_array, kmap_mask);
wqe->processed -= c_tx->bytes_unsent;
--
2.25.1



2023-02-28 10:05:59

by Bernard Metzler

[permalink] [raw]
Subject: RE: [PATCH] RDMA/siw: Fix potential page_array out of range access



> -----Original Message-----
> From: Daniil Dulov <[email protected]>
> Sent: Monday, 27 February 2023 10:18
> To: Bernard Metzler <[email protected]>
> Cc: Daniil Dulov <[email protected]>; Doug Ledford <[email protected]>;
> Jason Gunthorpe <[email protected]>; [email protected]; linux-
> [email protected]; [email protected]
> Subject: [EXTERNAL] [PATCH] RDMA/siw: Fix potential page_array out of range
> access
>
> When seg is equal to MAX_ARRAY, the loop should break, otherwise
> it will result in out of range access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
> Signed-off-by: Daniil Dulov <[email protected]>
> ---
> drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c
> b/drivers/infiniband/sw/siw/siw_qp_tx.c
> index 3c3ae5ef2942..f9eb314c6e14 100644
> --- a/drivers/infiniband/sw/siw/siw_qp_tx.c
> +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
> @@ -548,7 +548,7 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct
> socket *s)
> data_len -= plen;
> fp_off = 0;
>
> - if (++seg > (int)MAX_ARRAY) {
> + if (++seg == (int)MAX_ARRAY) {

Absolutely! For superstitious people like me,
maybe even write '>=' here. Thank you!

> siw_dbg_qp(tx_qp(c_tx), "to many fragments\n");
> siw_unmap_pages(page_array, kmap_mask);
> wqe->processed -= c_tx->bytes_unsent;
> --
> 2.25.1

2023-03-13 11:57:08

by Leon Romanovsky

[permalink] [raw]
Subject: Re: [PATCH] RDMA/siw: Fix potential page_array out of range access

On Mon, Feb 27, 2023 at 01:17:51AM -0800, Daniil Dulov wrote:
> When seg is equal to MAX_ARRAY, the loop should break, otherwise
> it will result in out of range access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
> Signed-off-by: Daniil Dulov <[email protected]>
> ---
> drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Thanks, applied and changed as Bernard suggested.