* [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
@ 2026-06-11 17:15 Zhenhao Wan
2026-06-12 12:39 ` Haris Iqbal
2026-06-16 19:07 ` Jason Gunthorpe
0 siblings, 2 replies; 3+ messages in thread
From: Zhenhao Wan @ 2026-06-11 17:15 UTC (permalink / raw)
To: Md. Haris Iqbal, Jack Wang, Jason Gunthorpe, Leon Romanovsky,
Danil Kipnis
Cc: Jack Wang, linux-rdma, linux-kernel, Yuhao Jiang, stable,
Zhenhao Wan
When the server answers an RTRS READ, rdma_write_sg() builds the source
scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
peer. Its length is taken directly from the wire descriptor:
plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
rd_msg points into the chunk buffer that the remote peer filled via
RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
process_read()), so desc[0].len is attacker-controlled and, before this
change, was only rejected when zero. The source address is the fixed
chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
layer does not constrain the transfer length to max_chunk_size. msg_id
and off are bounded against queue_depth and max_chunk_size in
rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
checked against the chunk size.
A peer that advertises desc[0].len larger than max_chunk_size can make
the posted RDMA write read past the chunk's mapped region. The resulting
behaviour depends on the IOMMU configuration: with no IOMMU or in
passthrough mode the read may extend into memory adjacent to the chunk
and be returned to the peer, which can disclose host memory; with a
translating IOMMU the out-of-range access is expected to fault and abort
the connection. In either case the transfer exceeds what the protocol
permits and is driven by a remote peer.
Reject a descriptor length above max_chunk_size, mirroring the existing
off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
do not exceed it: the client sets desc[0].len to its MR length, which is
capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
---
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
index 6482ad859bd1..f81e122a3ccb 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -225,8 +225,9 @@ static int rdma_write_sg(struct rtrs_srv_op *id)
/* WR will fail with length error
* if this is 0
*/
- if (plist->length == 0) {
- rtrs_err(s, "Invalid RDMA-Write sg list length 0\n");
+ if (plist->length == 0 || plist->length > max_chunk_size) {
+ rtrs_err(s, "Invalid RDMA-Write sg list length %u\n",
+ plist->length);
return -EINVAL;
}
---
base-commit: a48671671df5158a0b8e564cd509e04a090a941b
change-id: 20260612-master-7cbc156da1f8
Best regards,
--
Zhenhao Wan <whi4ed0g@gmail.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
2026-06-11 17:15 [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Zhenhao Wan
@ 2026-06-12 12:39 ` Haris Iqbal
2026-06-16 19:07 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Haris Iqbal @ 2026-06-12 12:39 UTC (permalink / raw)
To: Zhenhao Wan
Cc: Jack Wang, Jason Gunthorpe, Leon Romanovsky, Danil Kipnis,
Jack Wang, linux-rdma, linux-kernel, Yuhao Jiang, stable
On Thu, Jun 11, 2026 at 7:18 PM Zhenhao Wan <whi4ed0g@gmail.com> wrote:
>
> When the server answers an RTRS READ, rdma_write_sg() builds the source
> scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
> peer. Its length is taken directly from the wire descriptor:
>
> plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
>
> rd_msg points into the chunk buffer that the remote peer filled via
> RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
> process_read()), so desc[0].len is attacker-controlled and, before this
> change, was only rejected when zero. The source address is the fixed
> chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
> local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
> layer does not constrain the transfer length to max_chunk_size. msg_id
> and off are bounded against queue_depth and max_chunk_size in
> rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
> checked against the chunk size.
>
> A peer that advertises desc[0].len larger than max_chunk_size can make
> the posted RDMA write read past the chunk's mapped region. The resulting
> behaviour depends on the IOMMU configuration: with no IOMMU or in
> passthrough mode the read may extend into memory adjacent to the chunk
> and be returned to the peer, which can disclose host memory; with a
> translating IOMMU the out-of-range access is expected to fault and abort
> the connection. In either case the transfer exceeds what the protocol
> permits and is driven by a remote peer.
>
> Reject a descriptor length above max_chunk_size, mirroring the existing
> off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
> do not exceed it: the client sets desc[0].len to its MR length, which is
> capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
>
> Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
Looks good.
Reviewed and tested.
Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> index 6482ad859bd1..f81e122a3ccb 100644
> --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> @@ -225,8 +225,9 @@ static int rdma_write_sg(struct rtrs_srv_op *id)
> /* WR will fail with length error
> * if this is 0
> */
> - if (plist->length == 0) {
> - rtrs_err(s, "Invalid RDMA-Write sg list length 0\n");
> + if (plist->length == 0 || plist->length > max_chunk_size) {
> + rtrs_err(s, "Invalid RDMA-Write sg list length %u\n",
> + plist->length);
> return -EINVAL;
> }
>
>
> ---
> base-commit: a48671671df5158a0b8e564cd509e04a090a941b
> change-id: 20260612-master-7cbc156da1f8
>
> Best regards,
> --
> Zhenhao Wan <whi4ed0g@gmail.com>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
2026-06-11 17:15 [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Zhenhao Wan
2026-06-12 12:39 ` Haris Iqbal
@ 2026-06-16 19:07 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2026-06-16 19:07 UTC (permalink / raw)
To: Zhenhao Wan
Cc: Md. Haris Iqbal, Jack Wang, Leon Romanovsky, Danil Kipnis,
Jack Wang, linux-rdma, linux-kernel, Yuhao Jiang, stable
On Fri, Jun 12, 2026 at 01:15:54AM +0800, Zhenhao Wan wrote:
> When the server answers an RTRS READ, rdma_write_sg() builds the source
> scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
> peer. Its length is taken directly from the wire descriptor:
>
> plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
>
> rd_msg points into the chunk buffer that the remote peer filled via
> RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
> process_read()), so desc[0].len is attacker-controlled and, before this
> change, was only rejected when zero. The source address is the fixed
> chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
> local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
> layer does not constrain the transfer length to max_chunk_size. msg_id
> and off are bounded against queue_depth and max_chunk_size in
> rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
> checked against the chunk size.
>
> A peer that advertises desc[0].len larger than max_chunk_size can make
> the posted RDMA write read past the chunk's mapped region. The resulting
> behaviour depends on the IOMMU configuration: with no IOMMU or in
> passthrough mode the read may extend into memory adjacent to the chunk
> and be returned to the peer, which can disclose host memory; with a
> translating IOMMU the out-of-range access is expected to fault and abort
> the connection. In either case the transfer exceeds what the protocol
> permits and is driven by a remote peer.
>
> Reject a descriptor length above max_chunk_size, mirroring the existing
> off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
> do not exceed it: the client sets desc[0].len to its MR length, which is
> capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
>
> Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-16 19:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 17:15 [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Zhenhao Wan
2026-06-12 12:39 ` Haris Iqbal
2026-06-16 19:07 ` Jason Gunthorpe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.