Skip to content

Commit 773f6c5

Browse files
chuckleverchucklever
committed
svcrdma: Prevent a UAF in svc_rdma_send()
In some error flow cases, svc_rdma_wc_send() releases @ctxt. Copy the sc_cid field in @ctxt to a stack variable in order to guarantee that the value is available after the ib_post_send() call. In case the new comment looks a little strange, this will be done with at least one more field in a subsequent patch. Signed-off-by: Chuck Lever <[email protected]>
1 parent 5b9a858 commit 773f6c5

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

net/sunrpc/xprtrdma/svc_rdma_sendto.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -316,12 +316,17 @@ static void svc_rdma_wc_send(struct ib_cq *cq, struct ib_wc *wc)
316316
* @rdma: transport on which to post the WR
317317
* @ctxt: send ctxt with a Send WR ready to post
318318
*
319+
* Copy fields in @ctxt to stack variables in order to guarantee
320+
* that these values remain available after the ib_post_send() call.
321+
* In some error flow cases, svc_rdma_wc_send() releases @ctxt.
322+
*
319323
* Returns zero if the Send WR was posted successfully. Otherwise, a
320324
* negative errno is returned.
321325
*/
322326
int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
323327
{
324328
struct ib_send_wr *wr = &ctxt->sc_send_wr;
329+
struct rpc_rdma_cid cid = ctxt->sc_cid;
325330
int ret;
326331

327332
might_sleep();
@@ -337,12 +342,12 @@ int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
337342
if ((atomic_dec_return(&rdma->sc_sq_avail) < 0)) {
338343
svc_rdma_wake_send_waiters(rdma, 1);
339344
percpu_counter_inc(&svcrdma_stat_sq_starve);
340-
trace_svcrdma_sq_full(rdma, &ctxt->sc_cid);
345+
trace_svcrdma_sq_full(rdma, &cid);
341346
wait_event(rdma->sc_send_wait,
342347
atomic_read(&rdma->sc_sq_avail) > 0);
343348
if (test_bit(XPT_CLOSE, &rdma->sc_xprt.xpt_flags))
344349
return -ENOTCONN;
345-
trace_svcrdma_sq_retry(rdma, &ctxt->sc_cid);
350+
trace_svcrdma_sq_retry(rdma, &cid);
346351
continue;
347352
}
348353

@@ -353,7 +358,7 @@ int svc_rdma_send(struct svcxprt_rdma *rdma, struct svc_rdma_send_ctxt *ctxt)
353358
return 0;
354359
}
355360

356-
trace_svcrdma_sq_post_err(rdma, &ctxt->sc_cid, ret);
361+
trace_svcrdma_sq_post_err(rdma, &cid, ret);
357362
svc_xprt_deferred_close(&rdma->sc_xprt);
358363
svc_rdma_wake_send_waiters(rdma, 1);
359364
return ret;

0 commit comments

Comments
 (0)