The size of the header was not being added back in when forming the
write command. This caused the DESTROY_CQ write() to issue 16 bytes not 24
bytes. This was missed because the kernel does not validate the size of
the write and happily reads past the end of the buffer.
When the kernel was updated to bounds check write() this was discovered.
This was inadvertently fixed in rdma-core v20 by b3da306d85d4 ("verbs: Use
the new kabi macros with the write fallback system") so this patch is
only for two stable versions and has no matching upstream patch.
Fixes: e225b20f3a23 ("verbs: Add basic infrastructure for mixed write and ioctl cmds")
Cc: stable@xxxxxxxxxxxxxx # v18 v19
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
---
libibverbs/cmd_write.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Nicholas, can you apply this to v18 and v19 stable branches please?
Thanks,
Jason
diff --git a/libibverbs/cmd_write.h b/libibverbs/cmd_write.h
index cd0f37179ffd0d..91e2bb7abd9945 100644
--- a/libibverbs/cmd_write.h
+++ b/libibverbs/cmd_write.h
@@ -197,7 +197,7 @@ static inline int _execute_write(uint32_t cmdnum, struct ibv_context *ctx,
{
struct ib_uverbs_cmd_hdr *hdr = get_req_hdr(req);
- hdr->in_words = req_len / 4;
+ hdr->in_words = (sizeof(*hdr) + req_len) / 4;
hdr->out_words = resp_len / 4;
return _execute_write_raw(cmdnum, ctx, hdr, resp);
}
--
2.19.1
