On 11/21/18 8:14 PM, Jason Gunthorpe wrote:
> The size of the header was not being added back in when forming the
> write command. This caused the DESTROY_CQ write() to issue 16 bytes not 24
> bytes. This was missed because the kernel does not validate the size of
> the write and happily reads past the end of the buffer.
>
> When the kernel was updated to bounds check write() this was discovered.
>
> This was inadvertently fixed in rdma-core v20 by b3da306d85d4 ("verbs: Use
> the new kabi macros with the write fallback system") so this patch is
> only for two stable versions and has no matching upstream patch.
>
> Fixes: e225b20f3a23 ("verbs: Add basic infrastructure for mixed write and ioctl cmds")
> Cc: stable@xxxxxxxxxxxxxx # v18 v19
> Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
> ---
> libibverbs/cmd_write.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Nicholas, can you apply this to v18 and v19 stable branches please?
Applied to v18 and v19 branches.
Thanks
