Patch "RDMA/siw: Set defined status for work completion with undefined status" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 09:23:57 -0500

This is a note to let you know that I've just added the patch titled

    RDMA/siw: Set defined status for work completion with undefined status

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-siw-set-defined-status-for-work-completion-with.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 96a522332fad898f076bff03499ef4d95757ae37
Author: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
Date:   Tue Nov 15 18:07:47 2022 +0100

    RDMA/siw: Set defined status for work completion with undefined status
    
    [ Upstream commit 60da2d11fcbc043304910e4d2ca82f9bab953e63 ]
    
    A malicious user may write undefined values into memory mapped completion
    queue elements status or opcode. Undefined status or opcode values will
    result in out-of-bounds access to an array mapping siw internal
    representation of opcode and status to RDMA core representation when
    reaping CQ elements. While siw detects those undefined values, it did not
    correctly set completion status to a defined value, thus defeating the
    whole purpose of the check.
    
    This bug leads to the following Smatch static checker warning:
    
            drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
            error: buffer overflow 'map_cqe_status' 10 <= 21
    
    Fixes: bdf1da5df9da ("RDMA/siw: Fix immediate work request flush to completion queue")
    Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@xxxxxxxxxxxxxx
    Reported-by: Dan Carpenter <error27@xxxxxxxxx>
    Signed-off-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
index acc7bcd538b5..403029de6b92 100644
--- a/drivers/infiniband/sw/siw/siw_cq.c
+++ b/drivers/infiniband/sw/siw/siw_cq.c
@@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
 
 			if (opcode >= SIW_NUM_OPCODES) {
 				opcode = 0;
-				status = IB_WC_GENERAL_ERR;
+				status = SIW_WC_GENERAL_ERR;
 			} else if (status >= SIW_NUM_WC_STATUS) {
-				status = IB_WC_GENERAL_ERR;
+				status = SIW_WC_GENERAL_ERR;
 			}
 			wc->opcode = map_wc_opcode[opcode];
 			wc->status = map_cqe_status[status].ib;






