On Fri, Dec 02, 2022 at 08:01:57PM +0900, Daisuke Matsuda wrote:
> The commit 686d348476ee ("RDMA/rxe: Remove unnecessary mr testing") causes
> a kernel crash. If responder get a zero-byte RDMA Read request, qp->resp.mr
> is not set in check_rkey(). The mr is NULL in this case, and a NULL pointer
> dereference occurs as shown below.
I don't think this is right.
What justification is there for not validating the rkey in check_rkey
just because the length is 0?
IBA 9.3.3.2 says:
A responder that supports RDMA and / or ATOMIC Operations shall verify
the R_Key, the associated access rights, and the specified virtual ad-
dress. The responder must also perform bounds checking (i.e. verify that
the length of the data being referenced does not cross the associated
memory start and end addresses). Any violation must result in the packet
being discarded and for reliable services, the generation of a NAK.
Which I do not think allows this behavior.
If check_rkey validates the rkey then this function can assume it is
not NULL in all cases, like I think it is supposed to.
Jason
