From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43ADD349CE6 for ; Wed, 13 May 2026 17:53:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778694811; cv=none; b=OUMceVY7OwIRcucTb/6Wk/rYGzyot/n805iE+SpL60e/udV1rNYAo5/uCff9UW5Jfmtkb1NJMRlQuiGuiIKkema5h23tqFjQNaEPgFo2kmTPEayLoe1uF33U+Ker4PERczayq2R17L4HtIAMuDY+8yCifmnEeGVtPFzSNFfQw5A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778694811; c=relaxed/simple; bh=kyyEkN8frKyJVc1RJ2k2GYGfNMlRTxtX3Lh4S2uZeZ0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qba4HtjGA3Yz3SH5ZlJ06w9cW0es+wPdtWa9I5774owy9uJ99pJqAFlGpD5ME1eSvuKQfKx08lYObXPAvr2lipHHMK5f8Kzeac21HMemMve69zC8L8BVptEmaxF+f1wyxwnDt0B1DV2T89+VrotyC82/XMwOxGpWUzmSl/yR3HQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CRkxBtMp; arc=none smtp.client-ip=209.85.219.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CRkxBtMp" Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-8acb09ddbf6so107305736d6.2 for ; Wed, 13 May 2026 10:53:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778694808; x=1779299608; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ABoJbqvWqHjcWf8HMaYBzFu6AOtX8KyytzjO7kAvJdQ=; b=CRkxBtMprKm9tGg8vySALuEoH7kEcM9mK5H2UlajMzXkEsxDhsgiE7jtAfW5cBrSO9 cWbmeauFzGW0rxoYZOCOIdO6illTIRV0mKQ2pRQIHIVPYY7Kfleav4mZakDLcP7UTEwf JtPVna6slybpL0/qu2IZulZi3JtrDx3SndeCPVGtvtKc1rsDIqXlQaRsJrWyIIzm3fIY pTcqo8DzufPybup7dKMmcGmEE9sggqEp6H+qa7LckTvupVNN5654DnEa1r9a7DGAG3A4 cGnih4n2beQ6SCqRZW+bzIAgkh0R0/BJgmey4OnkVLNdgbQhbqS6hFr1Hzcpy0ybXOw0 OwuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778694808; x=1779299608; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ABoJbqvWqHjcWf8HMaYBzFu6AOtX8KyytzjO7kAvJdQ=; b=Phyeyg9CjgtXNKAqtUCw5kaq0RAZ7CTidpTL8Kyj4KDbxuQofqlI54TQ5FLg79dvxB uAXxoZkUdLHpl2UGwxQrmRHJovtulj2aGW4h9BtzqTg0IN4wZLxK82H6cTpK7zvW7JgU WhBIUSTm3tyQR312CC2GXLSQdkrlfZl2SNAydi7CVEcmBhR+nP9tsYCKM0guDKXdfAZ0 vycFF1Xhfadr6EWeUx4ioGKaL+0wU/1ybmE5LvRsu8IgMsZWfuQTB2KE4NV75EckyLqz BUJzyw2EpsYxbiFdnnap45W9ZjnqdawPkjtL4Ub9pzMcj90cprXvWqAjm1kMl47URNRR fkgg== X-Gm-Message-State: AOJu0YxV/maOV90x2bMVIhQa593kT1TBMFBlcnfmapZ09W1YQlviSjTP +MmnPzjf0k5406kHB6K5vV1CC0GelbBbV3Yy6ucKHS2TOMcSQdRdvfkF X-Gm-Gg: Acq92OGKQVdvM6X1zPpx47/yqIOZMcHw4BdNsddCxY1KgfMCySQlqCqjgHzpRffs044 7X6O2kQ2CO43ctw94zH1MSibIpPMi23NrQL+wTEbD5V+TdM5Sp3oqD1BJbxv2LyHy9n48zP7IfY 2Ck9Wvb20Ei7LCnuooD0vSPK2a+sJdaw3o+qF7/TemkazYg7sGVjbzzMZk3K9ITfn+bGr1rlep6 vSoawq4L97r5gUGxWOYDlWURVKt8j8bq4EnwOcrYks/k+MfTgNVevxelmKysxrSTzGN9YMEwlZS 0b+6ph/pioeEkYI9VCknLrnoFnpHXu7HGC+2kmS6d1y8fdtRiuTdbIBAGoARW8clfZRWXAO2vRY TI7mEJCzMgFWrs8reR5tD5wvNVk5HOrRHkt7ruOlZ+AoVj5KvYelrxlmn8WZYTc1Xk3aPNEdUrJ IDJRFp4/kqLF/vauzDhD34k4B3LSeyxOBTpfTz2IssgVJdSPiKSWUlvZbB1htx/w5HgNa/D1Muy /XRwndYWSMVzfMfJ9Xf2TG39hVaaz10ZaqVIaBkfy4LF/iWt/SCFg== X-Received: by 2002:a05:6214:328a:b0:8ac:b264:65ed with SMTP id 6a1803df08f44-8c7b9e64d6fmr70189006d6.6.1778694808171; Wed, 13 May 2026 10:53:28 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8c90bf6720asm2036946d6.39.2026.05.13.10.53.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 May 2026 10:53:27 -0700 (PDT) From: Michael Bommarito To: Bernard Metzler , Jason Gunthorpe , Leon Romanovsky , linux-rdma@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH 0/2] RDMA/siw: fix MPA FPDU length underflow + add KUnit coverage Date: Wed, 13 May 2026 13:53:23 -0400 Message-ID: <20260513175325.2042630-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [1/2] fixes a peer-controlled signed-int underflow in the Soft-iWARP receive path: c_hdr->mpa_len (16-bit, on-wire, peer-chosen) is never compared against iwarp_pktinfo[opcode].hdr_len, so a malformed FPDU makes siw_tcp_rx_data() derive a negative srx->fpdu_part_rem that flows through siw_proc_write() / siw_proc_rresp() into siw_check_mem() (which accepts a negative interval against a valid base) and on into skb_copy_bits() as a signed int copy length. Under KASAN this fires as a multi-gigabyte OOB read in the header-copy branch. Full root cause and the KASAN call trace are in [1/2]'s commit message. [2/2] adds the KUnit regression harness used to validate [1/2]. It is split into its own patch because the test brings new Kconfig plumbing and a new file in drivers/infiniband/sw/siw/, and so that maintainers can take [1/2] on its own if they want to defer the test or treat it differently for stable backport. The fix in [1/2] is tagged for stable; [2/2] is not. The harness has three cases. Two use a constructed sk_buff: one asserts the new check rejects an underflowed mpa_len; one is a regression control with the minimum-valid mpa_len (zero-length WRITE). The third opens a loopback AF_INET socketpair via sock_create_kern() and drives the malformed FPDU through the real kernel TCP receive path (sk_data_ready in softirq -> tcp_read_sock -> siw_tcp_rx_data), so the same chain a remote peer would exercise is covered. Tested: - UML + KASAN (inline) defconfig + KUNIT + RDMA_SIW: all three KUnit cases pass with the series applied; the stock tree splats in skb_copy_bits with "Read of size 4294967295". - x86_64 modular W=1 build clean on drivers/infiniband/sw/siw/. - checkpatch.pl --strict clean on both patches (one false-positive MAINTAINERS warning on [2/2] because the existing siw entry covers drivers/infiniband/sw/siw/ as a directory). - git am of the series to a fresh base produces a diff identical to the validation worktree. Bug exists since commit 8b6a361b8c48 ("rdma/siw: receive path") in 2019 (5.3-rc1), so all LTS branches with siw are affected; [1/2] carries Cc: stable. Michael Bommarito (2): RDMA/siw: reject MPA FPDU length underflow before signed receive math RDMA/siw: add KUnit tests for MPA receive parsing drivers/infiniband/sw/siw/Kconfig | 18 + drivers/infiniband/sw/siw/Makefile | 2 + drivers/infiniband/sw/siw/siw_mpa_rx_kunit.c | 349 +++++++++++++++++++ drivers/infiniband/sw/siw/siw_qp_rx.c | 15 + 4 files changed, 384 insertions(+) create mode 100644 drivers/infiniband/sw/siw/siw_mpa_rx_kunit.c -- 2.53.0