Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/net/rds/message.c?h=linus%2Fmaster 2021-04-24T16:32:35Z 2021-04-24T16:32:35Z Linus Torvalds torvalds@linux-foundation.org 2021-04-24T16:32:35Z urn:sha1:799bac5512188522213e2d7eb78ca7094dfdf30c This reverts commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05. The games with 'rm' are on (two separate instances) of a local variable, and make no difference. Quoting Aditya Pakki: "I was the author of the patch and it was the cause of the giant UMN revert. The patch is garbage and I was unaware of the steps involved in retracting it. I *believed* the maintainers would pull it, given it was already under Greg's list. The patch does not introduce any bugs but is pointless and is stupid. I accept my incompetence and for not requesting a revert earlier." Link: https://lwn.net/Articles/854319/ Requested-by: Aditya Pakki <pakki001@umn.edu> Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com> Cc: David S. Miller <davem@davemloft.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2021-04-07T21:01:24Z Aditya Pakki pakki001@umn.edu 2021-04-07T00:09:12Z urn:sha1:0c85a7e87465f2d4cbc768e245f4f45b2f299b05 In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource is freed and later under spinlock, causing potential use-after-free. Set the free pointer to NULL to avoid undefined behavior. Signed-off-by: Aditya Pakki <pakki001@umn.edu> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-03-31T21:26:56Z Lv Yunlong lyl2019@mail.ustc.edu.cn 2021-03-31T01:59:59Z urn:sha1:bdc2ab5c61a5c07388f4820ff21e787b4dfd1ced In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch assigns ERR_CAST(rm->data.op_sg) to err before the rm is freed to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2020-04-15T19:33:29Z Jason Gunthorpe jgg@mellanox.com 2020-04-14T23:02:07Z urn:sha1:7dba92037baf3fa00b4880a31fd532542264994c Returning the error code via a 'int *ret' when the function returns a pointer is very un-kernely and causes gcc 10's static analysis to choke: net/rds/message.c: In function ‘rds_message_map_pages’: net/rds/message.c:358:10: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized] 358 | return ERR_PTR(ret); Use a typical ERR_PTR return instead. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2020-04-09T17:22:00Z Ka-Cheong Poon ka-cheong.poon@oracle.com 2020-04-08T10:21:01Z urn:sha1:e228a5d05e9ee25878e9a40de96e7ceb579d4893 And removed rds_mr_put(). Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-01-07T15:22:36Z Jacob Wen jian.w.wen@oracle.com 2019-01-07T01:59:59Z urn:sha1:eeb2c4fb6a3d0ebed35fbc13a255f691c8b8d7e5 Yes indeed, DIV_ROUND_UP is in kernel.h. Signed-off-by: Jacob Wen <jian.w.wen@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-12-19T18:27:58Z shamir rabinovitch shamir.rabinovitch@oracle.com 2018-12-16T07:01:09Z urn:sha1:c75ab8a55ac1083c232e4407f52b0cadae6c1e0e per comment from Leon in rdma mailing list https://lkml.org/lkml/2018/10/31/312 : Please don't forget to remove user triggered WARN_ON. https://lwn.net/Articles/769365/ "Greg Kroah-Hartman raised the problem of core kernel API code that will use WARN_ON_ONCE() to complain about bad usage; that will not generate the desired result if WARN_ON_ONCE() is configured to crash the machine. He was told that the code should just call pr_warn() instead, and that the called function should return an error in such situations. It was generally agreed that any WARN_ON() or WARN_ON_ONCE() calls that can be triggered from user space need to be fixed." in addition harden rds_sendmsg to detect and overcome issues with invalid sg count and fail the sendmsg. Suggested-by: Leon Romanovsky <leon@kernel.org> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: shamir rabinovitch <shamir.rabinovitch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-24T21:10:42Z Stephen Hemminger stephen@networkplumber.org 2018-07-24T19:29:03Z urn:sha1:1cb1d977b41ad9fbcbd57ba24b203d6cb2f79952 Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-12T15:12:38Z Colin Ian King colin.king@canonical.com 2018-03-11T16:27:56Z urn:sha1:bdf08fc5412045f7648a49791d98cd04f72c1c1f Variable sg_off is assigned a value but it is never read, hence it is redundant and can be removed. Cleans up clang warning: net/rds/message.c:373:2: warning: Value stored to 'sg_off' is never read Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-09T02:54:00Z kbuild test robot fengguang.wu@intel.com 2018-03-08T11:37:30Z urn:sha1:571e6776add4f499661e761e03e46ec0f6d66243 Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>