[v2,06/12] svcrdma: Prevent a UAF in svc_rdma_send()

Message ID	170708862961.28128.4635466330893173032.stgit@bazille.1015granger.net (mailing list archive)
State	New
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46C19D26B; Sun, 4 Feb 2024 23:17:10 +0000 (UTC) Subject: [PATCH v2 06/12] svcrdma: Prevent a UAF in svc_rdma_send() From: Chuck Lever <cel@kernel.org> To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Sun, 04 Feb 2024 18:17:09 -0500 Message-ID: <170708862961.28128.4635466330893173032.stgit@bazille.1015granger.net> In-Reply-To: <170708844422.28128.2979813721958631192.stgit@bazille.1015granger.net> References: <170708844422.28128.2979813721958631192.stgit@bazille.1015granger.net> User-Agent: StGit/1.5 Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit
Series	NFSD RDMA transport improvements \| expand [v2,00/12] NFSD RDMA transport improvements [v2,01/12] svcrdma: Reserve an extra WQE for ib_drain_rq() [v2,02/12] svcrdma: Report CQ depths in debugging output [v2,03/12] svcrdma: Update max_send_sges after QP is created [v2,04/12] svcrdma: Increase the per-transport rw_ctx count [v2,05/12] svcrdma: Fix SQ wake-ups [v2,06/12] svcrdma: Prevent a UAF in svc_rdma_send() [v2,07/12] svcrdma: Fix retry loop in svc_rdma_send() [v2,08/12] svcrdma: Post Send WR chain [v2,09/12] svcrdma: Move write_info for Reply chunks into struct svc_rdma_send_ctxt [v2,10/12] svcrdma: Post the Reply chunk and Send WR together [v2,11/12] svcrdma: Post WRs for Write chunks in svc_rdma_sendto() [v2,12/12] svcrdma: Add Write chunk WRs to the RPC's Send WR chain

Message ID

170708862961.28128.4635466330893173032.stgit@bazille.1015granger.net (mailing list archive)

State

New

Headers

Subject: [PATCH v2 06/12] svcrdma: Prevent a UAF in svc_rdma_send()
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org
Date: Sun, 04 Feb 2024 18:17:09 -0500
Message-ID: 
 <170708862961.28128.4635466330893173032.stgit@bazille.1015granger.net>
In-Reply-To: 
 <170708844422.28128.2979813721958631192.stgit@bazille.1015granger.net>
References: 
 <170708844422.28128.2979813721958631192.stgit@bazille.1015granger.net>
User-Agent: StGit/1.5
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Series

NFSD RDMA transport improvements | expand

Commit Message

Chuck Lever Feb. 4, 2024, 11:17 p.m. UTC

From: Chuck Lever <chuck.lever@oracle.com>

In some error flow cases, svc_rdma_wc_send() releases @ctxt. Copy
the sc_cid field in @ctxt to a stack variable in order to guarantee
that the value is available after the ib_post_send() call.

In case the new comment looks a little strange, this will be done
with at least one more field in a subsequent patch.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_sendto.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
index f1f5c7b58fce..b6fc9299b472 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
@@ -316,12 +316,17 @@  static void svc_rdma_wc_send(struct ib_cq *cq, struct ib_wc *wc)
  * @rdma: transport on which to post the WR
  * @ctxt: send ctxt with a Send WR ready to post
  *
+ * Copy fields in @ctxt to stack variables in order to guarantee
+ * that these values remain available after the ib_post_send() call.
+ * In some error flow cases, svc_rdma_wc_send() releases @ctxt.
+ *
  * Returns zero if the Send WR was posted successfully. Otherwise, a
  * negative errno is returned.
  */
 int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 {
 	struct ib_send_wr *wr = &ctxt->sc_send_wr;
+	struct rpc_rdma_cid cid = ctxt->sc_cid;
 	int ret;
 
 	might_sleep();
@@ -337,12 +342,12 @@  int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 		if ((atomic_dec_return(&rdma->sc_sq_avail) < 0)) {
 			svc_rdma_wake_send_waiters(rdma, 1);
 			percpu_counter_inc(&svcrdma_stat_sq_starve);
-			trace_svcrdma_sq_full(rdma, &ctxt->sc_cid);
+			trace_svcrdma_sq_full(rdma, &cid);
 			wait_event(rdma->sc_send_wait,
 				   atomic_read(&rdma->sc_sq_avail) > 0);
 			if (test_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags))
 				return -ENOTCONN;
-			trace_svcrdma_sq_retry(rdma, &ctxt->sc_cid);
+			trace_svcrdma_sq_retry(rdma, &cid);
 			continue;
 		}
 
@@ -353,7 +358,7 @@  int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
 		return 0;
 	}
 
-	trace_svcrdma_sq_post_err(rdma, &ctxt->sc_cid, ret);
+	trace_svcrdma_sq_post_err(rdma, &cid, ret);
 	svc_xprt_deferred_close(&rdma->sc_xprt);
 	svc_rdma_wake_send_waiters(rdma, 1);
 	return ret;

[v2,06/12] svcrdma: Prevent a UAF in svc_rdma_send()

Commit Message

Patch