From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B345F376A05 for ; Thu, 11 Jun 2026 17:18:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781198298; cv=none; b=LSLroo+j9rzSjpnAT+5GKhn5pjxD3Gl7T1xaKgWisB4ogYZVgs2w5vO9rWlvFkAsrNfl3t9xH7lyDFLSuoNovoCJsoqHEd7wBh0EFJ0tCi2bex570e2/DWmreYM1o9x2nfNMaNzaYj6vV7uPVpkaHrILO+hS/PqQRSI9P1dPDqk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781198298; c=relaxed/simple; bh=MpwzlKCxNvprYG6nGm+I8C1iP9aryXlPg3HlDXV5TIE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=AzMFlzoZLkVsrpXBS79Ydis6FGr4KM/vfQmOAGPgOLuF+2FsqMXZXHnT+t0jqT+BGDx+XgfYY8n++gNNAIuiy0z7WafEScY5p18IaklcvU+r49AqmaKdUvFgDrdLtHMAxazaszLMKmSwCYEMcDF1Bbhb2ebVRlBTQddAXTWlx2Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=daZDmSNh; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="daZDmSNh" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-8423f869421so134940b3a.3 for ; Thu, 11 Jun 2026 10:18:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781198291; x=1781803091; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=GwqBiB1V3FALHX4MUot7lj1fa4juan4nyiLVjCQIClc=; b=daZDmSNhMkePX4XxL+GvSa3/ghWAAD90qQU6FTE27QU9j8JgZZIv1Esw18cMi73Ewo ktx2+7GnZ7+41YuSanm/1n9FyG+mepcNmlox7xVXVuZrBRP5nPVf2YhpX+EEHoJunXkh RrDKbTm0A6QYgXhoVDXbYmsOrHt5ivFlYqaqlb6EsqrpaTG3OYl5UxPkBlMbXbc8Jl8h espvSIdobdwqGB1NncmzwAt+A0qO07JQ/ckcUE7DwW37kjAcawmNpiP2r7K+p5MK13kc yLCLTaJOLWg3tA1O6YGdRQkfZoTiT+4h+0nKfbFnTHnof4QIcLiuk5NmyKm+W6nSNytR i2Xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781198291; x=1781803091; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GwqBiB1V3FALHX4MUot7lj1fa4juan4nyiLVjCQIClc=; b=m3hZOe00+51Hvsc1yIrH+zJW/09kpTLOnqu5x6wgN/vZ+JGMdM4HemmqEhglHCkH+y 6E58YKmhKxBdXvhZTXsJHpPeUNKm5VptLLb2cj/1xTTBY442t7beJdHXiL+QSdyyVrhi y3AtMyMOPO6683e2g0VHlG4SX0XYELJNQkMOZgNZU1ICyc8JkdX7oN7rWWLR0UjJb2pB i7cGPcmnK+w9f0ULdiIzKbap/l2ndqp0Rg+w5beYX3MXngnxUlyPzUgo21KAeCVpXl0r 0JWmhhekihh/V95zrfywfHK3vjmym36MLhesre0QPeHYg43laZutk5tGrXgT9DpaIstQ n0Rg== X-Forwarded-Encrypted: i=1; AFNElJ8dYQUkloFayWoBCW2tSCVT9ZznwGxrrpvsfc5OFdFwa3pMIlYRPyLh24cwC4Pp6PwWnFVuYSYXmkSnP+E=@vger.kernel.org X-Gm-Message-State: AOJu0Yw0eSNfCQAkEdrQs8wJvg8QVnwBHvXRhbw2XlmVg3mEXY5AFxSe SPjGQmva1SfBZXEOUhXfPtqqYkqpMxOtQZM4eRxZ0ySfRm7hiaIwDYXX X-Gm-Gg: Acq92OGeSk98nxUNPB75g4QWOtRNn+/i605BVACUlA9kOtmar/ttqb5AWx0XhzlK1pU u0i1n/LO5caj6lCbTI6hrAltLgbulb99179G9NXvAjMuBEb6ju0pq0jR5XWp+2ylFvEHP1u310r qGIOte+by3Y7VzEwfjwaPTtf5Ra6cOL5VeL2aQPNveqUbw3Lv7ODh/ns/+b9Nrebp8bgVptn1QI AY40hkpNJ2sxsvjtzHtiXGKiJK7sgdFAQ9gMaf8DD3zAp3SHTdaktI4mAdy7CLA2XxprzPT7kRn 4Ax2N+K9bLkTXJFj2/Z2FILItEB4CVou4Ar6FYrIVojMtR4CynFk/jXNTTICuodTSYY0NqVCaDH zBATh2bpRBbpII1Vh/UEyMJgwhM43QIaLpRPZ9tQEMVsAE9ju5VY23RwgsKE5cInp+mqK5Oseyh EmcaNYDFXvmUISjSa1PNuWRY3abrDP7wOIihC5ADS/ X-Received: by 2002:a05:6a00:a01:b0:842:459b:d61b with SMTP id d2e1a72fcca58-84336ba88b2mr3976561b3a.32.1781198290589; Thu, 11 Jun 2026 10:18:10 -0700 (PDT) Received: from LAPTOP-N3B6U5LC.localdomain ([36.21.199.146]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8433831a89bsm2967346b3a.56.2026.06.11.10.18.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jun 2026 10:18:09 -0700 (PDT) From: Zhenhao Wan Date: Fri, 12 Jun 2026 01:15:54 +0800 Subject: [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260612-master-v1-1-70cde5c6fdc9@gmail.com> X-B4-Tracking: v=1; b=H4sIAErtKmoC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDM0Mj3dzE4pLUIl3z5KRkQ1OzlETDNAsloOKCotS0zAqwQdGxEH5xaVJ WanIJSLdSbS0AexEWc2oAAAA= X-Change-ID: 20260612-master-7cbc156da1f8 To: "Md. Haris Iqbal" , Jack Wang , Jason Gunthorpe , Leon Romanovsky , Danil Kipnis Cc: Jack Wang , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, Yuhao Jiang , stable@vger.kernel.org, Zhenhao Wan X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1781198286; l=2840; i=whi4ed0g@gmail.com; h=from:subject:message-id; bh=MpwzlKCxNvprYG6nGm+I8C1iP9aryXlPg3HlDXV5TIE=; b=ol0mkn6Z2NuzQW6U1P4SFHZoz7NQAV7dQugAAv2T/oUjuuQaWdhsvbax7JjJhlDZlkHfRm5ds tC0ADZLAkbbDbHtj2N8gN/w8zoO0cjfOs561TAYsi2VAyr53sPuBSIu X-Developer-Key: i=whi4ed0g@gmail.com; a=ed25519; pk=zRTKlstE0LmilshGwJsFYEVjiT6RiXMBXK8Og6VmuVQ= When the server answers an RTRS READ, rdma_write_sg() builds the source scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the peer. Its length is taken directly from the wire descriptor: plist->length = le32_to_cpu(id->rd_msg->desc[0].len); rd_msg points into the chunk buffer that the remote peer filled via RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() -> process_read()), so desc[0].len is attacker-controlled and, before this change, was only rejected when zero. The source address is the fixed chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs layer does not constrain the transfer length to max_chunk_size. msg_id and off are bounded against queue_depth and max_chunk_size in rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not checked against the chunk size. A peer that advertises desc[0].len larger than max_chunk_size can make the posted RDMA write read past the chunk's mapped region. The resulting behaviour depends on the IOMMU configuration: with no IOMMU or in passthrough mode the read may extend into memory adjacent to the chunk and be returned to the peer, which can disclose host memory; with a translating IOMMU the out-of-range access is expected to fault and abort the connection. In either case the transfer exceeds what the protocol permits and is driven by a remote peer. Reject a descriptor length above max_chunk_size, mirroring the existing off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients do not exceed it: the client sets desc[0].len to its MR length, which is capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE). Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") Reported-by: Yuhao Jiang Cc: stable@vger.kernel.org Signed-off-by: Zhenhao Wan --- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c index 6482ad859bd1..f81e122a3ccb 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c @@ -225,8 +225,9 @@ static int rdma_write_sg(struct rtrs_srv_op *id) /* WR will fail with length error * if this is 0 */ - if (plist->length == 0) { - rtrs_err(s, "Invalid RDMA-Write sg list length 0\n"); + if (plist->length == 0 || plist->length > max_chunk_size) { + rtrs_err(s, "Invalid RDMA-Write sg list length %u\n", + plist->length); return -EINVAL; } --- base-commit: a48671671df5158a0b8e564cd509e04a090a941b change-id: 20260612-master-7cbc156da1f8 Best regards, -- Zhenhao Wan