[PATCH 0/2] RDMA/siw: fix MPA FPDU length underflow + add KUnit coverage

[Michael Bommarito <michael.bommarito@gmail.com>]

[1/2] fixes a peer-controlled signed-int underflow in the Soft-iWARP
receive path: c_hdr->mpa_len (16-bit, on-wire, peer-chosen) is never
compared against iwarp_pktinfo[opcode].hdr_len, so a malformed FPDU
makes siw_tcp_rx_data() derive a negative srx->fpdu_part_rem that
flows through siw_proc_write() / siw_proc_rresp() into siw_check_mem()
(which accepts a negative interval against a valid base) and on into
skb_copy_bits() as a signed int copy length.  Under KASAN this fires
as a multi-gigabyte OOB read in the header-copy branch.  Full root
cause and the KASAN call trace are in [1/2]'s commit message.

[2/2] adds the KUnit regression harness used to validate [1/2].  It
is split into its own patch because the test brings new Kconfig
plumbing and a new file in drivers/infiniband/sw/siw/, and so that
maintainers can take [1/2] on its own if they want to defer the test
or treat it differently for stable backport.  The fix in [1/2] is
tagged for stable; [2/2] is not.

The harness has three cases.  Two use a constructed sk_buff: one
asserts the new check rejects an underflowed mpa_len; one is a
regression control with the minimum-valid mpa_len (zero-length
WRITE).  The third opens a loopback AF_INET socketpair via
sock_create_kern() and drives the malformed FPDU through the real
kernel TCP receive path (sk_data_ready in softirq -> tcp_read_sock
-> siw_tcp_rx_data), so the same chain a remote peer would exercise
is covered.

Tested:
  - UML + KASAN (inline) defconfig + KUNIT + RDMA_SIW: all three
    KUnit cases pass with the series applied; the stock tree splats
    in skb_copy_bits with "Read of size 4294967295".
  - x86_64 modular W=1 build clean on drivers/infiniband/sw/siw/.
  - checkpatch.pl --strict clean on both patches (one false-positive
    MAINTAINERS warning on [2/2] because the existing siw entry
    covers drivers/infiniband/sw/siw/ as a directory).
  - git am of the series to a fresh base produces a diff identical
    to the validation worktree.

Bug exists since commit 8b6a361b8c48 ("rdma/siw: receive path") in
2019 (5.3-rc1), so all LTS branches with siw are affected; [1/2]
carries Cc: stable.

Michael Bommarito (2):
  RDMA/siw: reject MPA FPDU length underflow before signed receive math
  RDMA/siw: add KUnit tests for MPA receive parsing

 drivers/infiniband/sw/siw/Kconfig            |  18 +
 drivers/infiniband/sw/siw/Makefile           |   2 +
 drivers/infiniband/sw/siw/siw_mpa_rx_kunit.c | 349 +++++++++++++++++++
 drivers/infiniband/sw/siw/siw_qp_rx.c        |  15 +
 4 files changed, 384 insertions(+)
 create mode 100644 drivers/infiniband/sw/siw/siw_mpa_rx_kunit.c

-- 
2.53.0