On Tue, Sep 25, 2018 at 02:16:46PM +0000, Israel Rukshin wrote:
> In case target remote invalidates bogus rkey and signature is not used,
> pi_ctx is NULL deref.
> The commit also fails the connection on bogus remote invalidation.
>
> Signed-off-by: Israel Rukshin <israelr@xxxxxxxxxxxx>
> Reviewed-by: Max Gurtovoy <maxg@xxxxxxxxxxxx>
> ---
There is a need to add Fixes line.
> drivers/infiniband/ulp/iser/iser_initiator.c | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/iser/iser_initiator.c b/drivers/infiniband/ulp/iser/iser_initiator.c
> index 2f63885..96af06c 100644
> --- a/drivers/infiniband/ulp/iser/iser_initiator.c
> +++ b/drivers/infiniband/ulp/iser/iser_initiator.c
> @@ -589,13 +589,19 @@ void iser_login_rsp(struct ib_cq *cq, struct ib_wc *wc)
> ib_conn->post_recv_buf_count--;
> }
>
> -static inline void
> +static inline int
> iser_inv_desc(struct iser_fr_desc *desc, u32 rkey)
> {
> - if (likely(rkey == desc->rsc.mr->rkey))
> + if (likely(rkey == desc->rsc.mr->rkey)) {
> desc->rsc.mr_valid = 0;
> - else if (likely(rkey == desc->pi_ctx->sig_mr->rkey))
> + } else if (likely(desc->pi_ctx && rkey == desc->pi_ctx->sig_mr->rkey)) {
> desc->pi_ctx->sig_mr_valid = 0;
> + } else {
> + iser_err("Bogus remote invalidation for rkey %#x\n", rkey);
Does it mean that remote user can spam local dmesg?
> + return -EINVAL;
> + }
> +
> + return 0;
> }
>
> static int
> @@ -623,12 +629,14 @@ void iser_login_rsp(struct ib_cq *cq, struct ib_wc *wc)
>
> if (iser_task->dir[ISER_DIR_IN]) {
> desc = iser_task->rdma_reg[ISER_DIR_IN].mem_h;
> - iser_inv_desc(desc, rkey);
> + if (unlikely(iser_inv_desc(desc, rkey)))
> + return -EINVAL;
> }
>
> if (iser_task->dir[ISER_DIR_OUT]) {
> desc = iser_task->rdma_reg[ISER_DIR_OUT].mem_h;
> - iser_inv_desc(desc, rkey);
> + if (unlikely(iser_inv_desc(desc, rkey)))
> + return -EINVAL;
> }
> } else {
> iser_err("failed to get task for itt=%d\n", hdr->itt);
> --
> 1.8.3.1
>
Attachment:
signature.asc
Description: PGP signature
