From patchwork Fri Oct 18 00:55:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Whitfield X-Patchwork-Id: 1998858 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XV5pl4nzqz1xvc for ; Fri, 18 Oct 2024 11:55:26 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t1bGu-0007Ld-1E; Fri, 18 Oct 2024 00:55:16 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t1bGs-0007LQ-9W for kernel-team@lists.ubuntu.com; Fri, 18 Oct 2024 00:55:14 +0000 Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com [209.85.161.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CC4E83F28B for ; Fri, 18 Oct 2024 00:55:13 +0000 (UTC) Received: by mail-oo1-f70.google.com with SMTP id 006d021491bc7-5eb77bddec5so926673eaf.1 for ; Thu, 17 Oct 2024 17:55:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729212912; x=1729817712; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WjXlLYQmFqpK085gax4wzFLr/RpzHjWx0AzKprk0OCk=; b=iji1kP3xWSn0ib2PVHQAust69yAkBT6nQLv0IWqboVbf25g3yfncJjFfQkZJxLxZr5 /RSBzC9aSg2Nbaao+CHUDOqMl6mB+VzVSxgcCNktSI4s9aWAAWfITuRMyY1pdLvr/9K0 OGfi7oJqNx/2qeaO8FHktIcLb+8rs2IBXYu5adgmkFT3F0WcmEysJmnB40N2lOsxjgHF MOxNQjjiewcXGbckmcCUSpPPuMsQxN6tILqEEJ8FWgNXVxPOZhAaNiBg2h8BjMjv+JpP 1+TT3saQr9B2CWHJu1OXo1EPQrEJLJCY+QeWhLDPB8blfYO468SeXDTeaw+S4i7+PlyZ KYrw== X-Gm-Message-State: AOJu0Yxkz6PnKWzuoakbY42eD5Frq4NMLKG31F4TQYvvGb8MqTu6b0z3 M10+u+GDpua1XhSD2Q4A3ECwIEMbBdoMEw9oZtvT9sF2wBHpY7S8ShmGRERPpTHaLBklAiOlqLl jNTPU4oThGV62VgvkYG4m0zDJCT7GWMBP3Sff7+Bak8DYQpEbKb1e5dxjHDDPnNzo+4j0s2cUwZ NUK210W+kFbg== X-Received: by 2002:a05:6870:7b4d:b0:278:8fb:b132 with SMTP id 586e51a60fabf-2892d2cc387mr331132fac.1.1729212912502; Thu, 17 Oct 2024 17:55:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEgJXFrTdDzIcLRX5pmGyW+w4ku7GoMEtCLhYq+QSVLoSNmnk8dJYjOT+V1zJoxya3OCUi6cQ== X-Received: by 2002:a05:6870:7b4d:b0:278:8fb:b132 with SMTP id 586e51a60fabf-2892d2cc387mr331122fac.1.1729212912071; Thu, 17 Oct 2024 17:55:12 -0700 (PDT) Received: from localhost (172-10-233-79.lightspeed.sntcca.sbcglobal.net. [172.10.233.79]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-2892af3e50fsm188426fac.44.2024.10.17.17.55.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2024 17:55:11 -0700 (PDT) From: Ian Whitfield To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] RDMA/rxe: Return CQE error if invalid lkey was supplied Date: Thu, 17 Oct 2024 17:55:07 -0700 Message-ID: <20241018005507.50168-2-ian.whitfield@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241018005507.50168-1-ian.whitfield@canonical.com> References: <20241018005507.50168-1-ian.whitfield@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Leon Romanovsky RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/11e7b553f3a6f5371c6bb3f57c494bb52b88af99.1620711734.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Acked-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe (backported from commit dc07628bd2bbc1da768e265192c28ebd301f509d) [ijwhitfield: Context adjusted due to missing commit 364e282c4fe7 ("RDMA/rxe: Split MEM into MR and MW")] CVE-2021-47076 Signed-off-by: Ian Whitfield --- drivers/infiniband/sw/rxe/rxe_comp.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c index 4bc88708b355..79d6508aa657 100644 --- a/drivers/infiniband/sw/rxe/rxe_comp.c +++ b/drivers/infiniband/sw/rxe/rxe_comp.c @@ -373,13 +373,15 @@ static inline enum comp_state do_read(struct rxe_qp *qp, ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, &wqe->dma, payload_addr(pkt), payload_size(pkt), to_mem_obj, NULL); - if (ret) + if (ret) { + wqe->status = IB_WC_LOC_PROT_ERR; return COMPST_ERROR; + } if (wqe->dma.resid == 0 && (pkt->mask & RXE_END_MASK)) return COMPST_COMP_ACK; - else - return COMPST_UPDATE_COMP; + + return COMPST_UPDATE_COMP; } static inline enum comp_state do_atomic(struct rxe_qp *qp, @@ -393,10 +395,12 @@ static inline enum comp_state do_atomic(struct rxe_qp *qp, ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, &wqe->dma, &atomic_orig, sizeof(u64), to_mem_obj, NULL); - if (ret) + if (ret) { + wqe->status = IB_WC_LOC_PROT_ERR; return COMPST_ERROR; - else - return COMPST_COMP_ACK; + } + + return COMPST_COMP_ACK; } static void make_send_cqe(struct rxe_qp *qp, struct rxe_send_wqe *wqe,