Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp663870ima;
        Sat, 20 Oct 2018 16:14:53 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62guVSa3M0QNsuvC3NYC3OTU6g9XptFw/5rWa1iiysG/Mbph3OqlynWiciDGMDVUWC9I8EE
X-Received: by 2002:a17:902:28e7:: with SMTP id f94-v6mr30527044plb.297.1540077293111;
        Sat, 20 Oct 2018 16:14:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540077293; cv=none;
        d=google.com; s=arc-20160816;
        b=hTC+GoV/QABVdWRK8nf3BObSXusJlpl8gukiTbT1vBzn3EYqq8FOn5Hlu1uWEJEh2t
         2W5Pc5+Gnax/MkuIrfSAXvAe1BhS6LxjXRKqGK8VzBAjsP8r+dgDhqOYOXLCGtCZc7Ds
         TyoV7zXyDav2p3FUJ9Kcsq2lk1vvlia9MrgZDEZtZQXey1C0xdN6d/K2AOxQk2ZHW8Sm
         GhSklSK1yTbopznuvhW5bTjYTNTCV4wiQ8i79gzQFc0osww6OXos9fZtjKfNRafR+Km0
         MRUrJVkC0GZT3MawoVNDJPhBLvxZsy5Es9xmYxi7thAreQ3UogfL2ds9HvccOUgGsk3v
         YHuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:thread-index:content-language
         :content-transfer-encoding:mime-version:message-id:date:subject
         :in-reply-to:references:cc:to:from;
        bh=jwQlMvLkFsJmbkk6ACDr2QY0s9Ulkm6FLLfOFmQyLww=;
        b=QWa0Jrq/NB+Fieyx8BhLkSXqNU/HDdP6qwAlLI5fUWq9tQPnhssg2CytUyGZxXn0gv
         b/XZNdntNJA2NOF8uHEHHrZ0kb8zmTCs2/6LepKhK9WDVfLM0OErNOUrsIs3gmep8AM7
         d80w15yJHrH3P8grPll1QEvOMy44cNI25iLcJi06I4JojX4D3QS9xoziShgVh73YepgJ
         Kz6fl2lEw7gu5+1yatM/A4pP9m55YstFmQ44pVVWx2ZoNzhjJ0EeeaRPASy8nO259Wrm
         CG0GMcdCI1QKevBvIKEec+oNw51RfX3l24syWhGg4FS7IlfgUsG0r/ChjoZB8jx3tlKC
         S35g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d2-v6si8706794plh.152.2018.10.20.16.14.35;
        Sat, 20 Oct 2018 16:14:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726782AbeJUH0W (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Sun, 21 Oct 2018 03:26:22 -0400
Received: from linode.aoot.com ([69.164.194.13]:42518 "EHLO linode.aoot.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726609AbeJUH0W (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 21 Oct 2018 03:26:22 -0400
Received: from stevoacer (47-221-137-213.gtwncmta03.res.dyn.suddenlink.net [47.221.137.213])
        by linode.aoot.com (Postfix) with ESMTP id D70FA835F;
        Sat, 20 Oct 2018 18:14:13 -0500 (CDT)
From:   "Steve Wise" <swise@opengridcomputing.com>
To:     "'Wenwen Wang'" <wang6495@umn.edu>
Cc:     "'Kangjie Lu'" <kjlu@umn.edu>, "'Steve Wise'" <swise@chelsio.com>,
        "'Doug Ledford'" <dledford@redhat.com>,
        "'Jason Gunthorpe'" <jgg@ziepe.ca>,
        "'open list:CXGB4 IWARP RNIC DRIVER \(IW_CXGB4\)'" 
        <linux-rdma@vger.kernel.org>,
        "'open list'" <linux-kernel@vger.kernel.org>
References: <1540072741-18856-1-git-send-email-wang6495@umn.edu>
In-Reply-To: <1540072741-18856-1-git-send-email-wang6495@umn.edu>
Subject: RE: [PATCH] iw_cxgb4: fix a missing-check bug
Date:   Sat, 20 Oct 2018 18:14:12 -0500
Message-ID: <038301d468ca$9d30ca90$d7925fb0$@opengridcomputing.com>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQHGM3QZHxRys26vq/PiwJXt1dGVDaVFLSog
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hey Wenwen,

> Subject: [PATCH] iw_cxgb4: fix a missing-check bug
> 
> In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> whether it is valid through t4_valid_cqe(). If it is valid, the address of
> the CQE is then saved to 'hw_cqe'. Later on, the CQE is copied to the
local
> memory in create_read_req_cqe(). The problem here is that the CQE is
> actually in a DMA region allocated by dma_alloc_coherent() in create_cq().
> Given that the device also has the permission to access the DMA region, a
> malicious device controlled by an attacker can modify the CQE in the DMA
> region after the check in t4_next_hw_cqe() but before the copy in
> create_read_req_cqe(). By doing so, the attacker can supply invalid CQE,
> which can cause undefined behavior of the kernel and introduce potential
> security risks.
> 

If the dma device is malicious, couldn't it just dma some incorrect CQE but
still valid in the first place?  I don't think this patch actually solves
the issue, and it forces a copy of a 64B CQE in a critical data io path.  

So I must NACK this. 

Thanks,

Steve.