On Thu, Dec 8, 2022 8:44 AM Jason Gunthorpe wrote:
>
> On Fri, Dec 02, 2022 at 08:01:57PM +0900, Daisuke Matsuda wrote:
> > The commit 686d348476ee ("RDMA/rxe: Remove unnecessary mr testing") causes
> > a kernel crash. If responder get a zero-byte RDMA Read request, qp->resp.mr
> > is not set in check_rkey(). The mr is NULL in this case, and a NULL pointer
> > dereference occurs as shown below.
>
> I don't think this is right.
>
> What justification is there for not validating the rkey in check_rkey
> just because the length is 0?
I referred to IB Specification Vol 1-Release-1.5-2021-08-06b.
The behaviour of responder on receiving a packet is described in "9.7.4.1".
The current implementation of check_rkey() is justified by "9.7.4.1.5 C9-88".
>
> IBA 9.3.3.2 says:
>
> <...>
The document is proprietary. I think it is safer not to quote the contents,
so I do not show what "9.7.4.1.5 C9-88" says here.
Sorry for bothering you, but please check the description by yourself.
Thanks,
Daisuke
>
> Which I do not think allows this behavior.
>
> If check_rkey validates the rkey then this function can assume it is
> not NULL in all cases, like I think it is supposed to.
>
> Jason
