Patch "IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ca3cf4ea5ab2608e6153ac6e6734cc2e88d389b5
Author: Patrick Kelsey <pat.kelsey@xxxxxxxxxxxxxxxxxxxx>
Date:   Thu Feb 16 11:56:28 2023 -0500

    IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
    
    [ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ]
    
    Fix three sources of error involving struct sdma_txreq.num_descs.
    
    When _extend_sdma_tx_descs() extends the descriptor array, it uses the
    value of tx->num_descs to determine how many existing entries from the
    tx's original, internal descriptor array to copy to the newly allocated
    one.  As this value was incremented before the call, the copy loop will
    access one entry past the internal descriptor array, copying its contents
    into the corresponding slot in the new array.
    
    If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then
    invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a
    loop that unmaps all descriptor entries in use.  As this value was
    incremented before the call, the unmap loop will invoke sdma_unmap_desc()
    on a descriptor entry whose contents consist of whatever random data was
    copied into it during (1), leading to cascading further calls into the
    kernel and driver using arbitrary data.
    
    _sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1.
    
    Fix all of the above by:
    - Only increment .num_descs after .descp is extended.
    - Use .num_descs - 1 instead of .num_descs for last .descp entry.
    
    Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors")
    Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Brendan Cunningham <bcunningham@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Patrick Kelsey <pat.kelsey@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Stable-dep-of: c9358de193ec ("IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
index 061562627dae4..728bf122ee0a7 100644
--- a/drivers/infiniband/hw/hfi1/sdma.c
+++ b/drivers/infiniband/hw/hfi1/sdma.c
@@ -3187,8 +3187,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
 {
 	int rval = 0;
 
-	tx->num_desc++;
-	if ((unlikely(tx->num_desc == tx->desc_limit))) {
+	if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
 		rval = _extend_sdma_tx_descs(dd, tx);
 		if (rval) {
 			__sdma_txclean(dd, tx);
@@ -3203,6 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
 		NULL,
 		dd->sdma_pad_phys,
 		sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1)));
+	tx->num_desc++;
 	_sdma_close_tx(dd, tx);
 	return rval;
 }
diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h
index 7d4f316ac6e43..5a372ca1f6acf 100644
--- a/drivers/infiniband/hw/hfi1/sdma.h
+++ b/drivers/infiniband/hw/hfi1/sdma.h
@@ -674,14 +674,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx)
 static inline void _sdma_close_tx(struct hfi1_devdata *dd,
 				  struct sdma_txreq *tx)
 {
-	tx->descp[tx->num_desc].qw[0] |=
-		SDMA_DESC0_LAST_DESC_FLAG;
-	tx->descp[tx->num_desc].qw[1] |=
-		dd->default_desc1;
+	u16 last_desc = tx->num_desc - 1;
+
+	tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG;
+	tx->descp[last_desc].qw[1] |= dd->default_desc1;
 	if (tx->flags & SDMA_TXREQ_F_URGENT)
-		tx->descp[tx->num_desc].qw[1] |=
-			(SDMA_DESC1_HEAD_TO_HOST_FLAG |
-			 SDMA_DESC1_INT_REQ_FLAG);
+		tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG |
+					       SDMA_DESC1_INT_REQ_FLAG);
 }
 
 static inline int _sdma_txadd_daddr(
@@ -700,6 +699,7 @@ static inline int _sdma_txadd_daddr(
 		pinning_ctx,
 		addr, len);
 	WARN_ON(len > tx->tlen);
+	tx->num_desc++;
 	tx->tlen -= len;
 	/* special cases for last */
 	if (!tx->tlen) {
@@ -711,7 +711,6 @@ static inline int _sdma_txadd_daddr(
 			_sdma_close_tx(dd, tx);
 		}
 	}
-	tx->num_desc++;
 	return rval;
 }
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux