* [PATCH net] dibs: loopback: validate offset and size in move_data()
@ 2026-07-07 7:43 Dust Li
2026-07-07 14:31 ` Dust Li
0 siblings, 1 reply; 3+ messages in thread
From: Dust Li @ 2026-07-07 7:43 UTC (permalink / raw)
To: Alexandra Winter
Cc: Wenjia Zhang, Wen Gu, Paolo Abeni, Mahanta Jambigi, D . Wythe,
Sidraya Jayagond, netdev, linux-kernel, stable,
Federico Kirschbaum
The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length. Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.
A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer. Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.
Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable@vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
---
drivers/dibs/dibs_loopback.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/dibs/dibs_loopback.c b/drivers/dibs/dibs_loopback.c
index ec3b48cb0e87..0f2e09311152 100644
--- a/drivers/dibs/dibs_loopback.c
+++ b/drivers/dibs/dibs_loopback.c
@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
read_unlock_bh(&ldev->dmb_ht_lock);
return -EINVAL;
}
+ if ((u64)offset + size > rmb_node->len) {
+ read_unlock_bh(&ldev->dmb_ht_lock);
+ return -EINVAL;
+ }
+
memcpy((char *)rmb_node->cpu_addr + offset, data, size);
sba_idx = rmb_node->sba_idx;
read_unlock_bh(&ldev->dmb_ht_lock);
--
2.43.7
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net] dibs: loopback: validate offset and size in move_data()
2026-07-07 7:43 [PATCH net] dibs: loopback: validate offset and size in move_data() Dust Li
@ 2026-07-07 14:31 ` Dust Li
2026-07-07 18:31 ` Andrew Lunn
0 siblings, 1 reply; 3+ messages in thread
From: Dust Li @ 2026-07-07 14:31 UTC (permalink / raw)
To: Alexandra Winter
Cc: Wenjia Zhang, Wen Gu, Paolo Abeni, Mahanta Jambigi, D . Wythe,
Sidraya Jayagond, netdev, linux-kernel, stable,
Federico Kirschbaum
On 2026-07-07 15:43:18, Dust Li wrote:
>The loopback move_data() performs a memcpy into the registered DMB
>without checking whether offset + size exceeds the DMB length. Unlike
>real ISM hardware, which enforces memory region bounds natively, the
>software loopback has no such protection.
>
>A peer-supplied out-of-bounds offset or oversized write would result in
>an OOB write past the allocated kernel buffer. Add an explicit bounds
>check before the memcpy to reject such requests with -EINVAL.
>
>Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
>Cc: stable@vger.kernel.org
>Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Reported-by: Baul Lee <baul.lee@xbow.com>
Best regards,
Dust
>Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
>---
> drivers/dibs/dibs_loopback.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
>diff --git a/drivers/dibs/dibs_loopback.c b/drivers/dibs/dibs_loopback.c
>index ec3b48cb0e87..0f2e09311152 100644
>--- a/drivers/dibs/dibs_loopback.c
>+++ b/drivers/dibs/dibs_loopback.c
>@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
> read_unlock_bh(&ldev->dmb_ht_lock);
> return -EINVAL;
> }
>+ if ((u64)offset + size > rmb_node->len) {
>+ read_unlock_bh(&ldev->dmb_ht_lock);
>+ return -EINVAL;
>+ }
>+
> memcpy((char *)rmb_node->cpu_addr + offset, data, size);
> sba_idx = rmb_node->sba_idx;
> read_unlock_bh(&ldev->dmb_ht_lock);
>--
>2.43.7
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net] dibs: loopback: validate offset and size in move_data()
2026-07-07 14:31 ` Dust Li
@ 2026-07-07 18:31 ` Andrew Lunn
0 siblings, 0 replies; 3+ messages in thread
From: Andrew Lunn @ 2026-07-07 18:31 UTC (permalink / raw)
To: Dust Li
Cc: Alexandra Winter, Wenjia Zhang, Wen Gu, Paolo Abeni,
Mahanta Jambigi, D . Wythe, Sidraya Jayagond, netdev,
linux-kernel, stable, Federico Kirschbaum
On Tue, Jul 07, 2026 at 10:31:00PM +0800, Dust Li wrote:
> On 2026-07-07 15:43:18, Dust Li wrote:
> >The loopback move_data() performs a memcpy into the registered DMB
> >without checking whether offset + size exceeds the DMB length. Unlike
> >real ISM hardware, which enforces memory region bounds natively, the
> >software loopback has no such protection.
> >
> >A peer-supplied out-of-bounds offset or oversized write would result in
> >an OOB write past the allocated kernel buffer. Add an explicit bounds
> >check before the memcpy to reject such requests with -EINVAL.
> >
> >Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
> >Cc: stable@vger.kernel.org
> >Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
>
> Reported-by: Baul Lee <baul.lee@xbow.com>
Could you provide a link to the report?
Thanks
Andrew
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-07 18:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-07 7:43 [PATCH net] dibs: loopback: validate offset and size in move_data() Dust Li
2026-07-07 14:31 ` Dust Li
2026-07-07 18:31 ` Andrew Lunn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox