while processing MPA Reply, SIW driver is trying to read extra 4 bytes
than what peer has advertised as private data length.
If a FPDU data is received before even siw_recv_mpa_rr() completed
reading MPA reply, then ksock_recv() in siw_recv_mpa_rr() could also
read FPDU, if "size" is larger than advertised MPA reply length.
501 static int siw_recv_mpa_rr(struct siw_cep *cep)
502 {
.............
572
573 if (rcvd > to_rcv)
574 return -EPROTO; <----- Failure here
Looks like the intention here is to throw an ERROR if the received data
is more than the total private data length advertised by the peer. But
reading beyond MPA message causes siw_cm to generate
RDMA_CM_EVENT_CONNECT_ERROR event when TCP socket recv buffer is already
queued with FPDU messages.
Hence, this function should only read upto private data length.
Signed-off-by: Krishnamraju Eraparaju <krishna2@xxxxxxxxxxx>
---
drivers/infiniband/sw/siw/siw_cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c
index a7cde98e73e8..8dc8cea2566c 100644
--- a/drivers/infiniband/sw/siw/siw_cm.c
+++ b/drivers/infiniband/sw/siw/siw_cm.c
@@ -559,13 +559,13 @@ static int siw_recv_mpa_rr(struct siw_cep *cep)
* A private data buffer gets allocated if hdr->params.pd_len != 0.
*/
if (!cep->mpa.pdata) {
- cep->mpa.pdata = kmalloc(pd_len + 4, GFP_KERNEL);
+ cep->mpa.pdata = kmalloc(pd_len, GFP_KERNEL);
if (!cep->mpa.pdata)
return -ENOMEM;
}
rcvd = ksock_recv(
s, cep->mpa.pdata + cep->mpa.bytes_rcvd - sizeof(struct mpa_rr),
- to_rcv + 4, MSG_DONTWAIT);
+ to_rcv, MSG_DONTWAIT);
if (rcvd < 0)
return rcvd;
--
2.23.0.rc0
