On Wed, Nov 02, 2022 at 10:31:10AM +0100, Bernard Metzler wrote:
> Correctly set send queue element opcode during immediate work request
> flushing in post sendqueue operation, if the QP is in ERROR state.
> An undefined ocode value results in out-of-bounds access to an array
> for mapping the opcode between siw internal and RDMA core representation
> in work completion generation. It resulted in a KASAN BUG report
> of type 'global-out-of-bounds' during NFSoRDMA testing.
> This patch further fixes a potential case of a malicious user which may
> write undefined values for completion queue elements status or opcode,
> if the CQ is memory mapped to user land. It avoids the same out-of-bounds
> access to arrays for status and opcode mapping as described above.
Please split commit message to paragraphs.
>
> Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
> Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods")
>
No blank line here
> Reported-by: Olga Kornievskaia <kolga@xxxxxxxxxx>
> Reviewed-by: Tom Talpey <tom@xxxxxxxxxx>
> Signed-off-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
>
> ----
It should be "---" and not "----" for git to trim changelog.
> v1 -> v2:
> Change return code of siw_sq_flush_wr() to -EINVAL
> for unexpected opcodes.
>
> Signed-off-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
Another SOB.
> ---
> drivers/infiniband/sw/siw/siw_cq.c | 24 ++++++++++++++--
> drivers/infiniband/sw/siw/siw_verbs.c | 40 ++++++++++++++++++++++++---
> 2 files changed, 58 insertions(+), 6 deletions(-)
Thanks
