diff options
| author | Tristan Madani <tristmd@gmail.com> | 2026-05-18 21:50:40 +0000 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@nvidia.com> | 2026-05-29 20:33:59 -0300 |
| commit | d6ab440240a04b8737ee4c7bb21af9182e451733 (patch) | |
| tree | a84d5740e3d9e19d29770f5516eb00e42790238d /include/linux/xarray.h | |
| parent | 22b8fbded65b8c441b634a185f8da67657df6c50 (diff) | |
RDMA/rxe: Copy WQE to local buffer in non-SRQ receive path
For non-SRQ QPs, the responder reads WQE fields directly from the
shared queue buffer mapped into userspace. This allows a malicious
user to modify fields like num_sge or sge entries while the kernel
is processing the WQE, leading to out-of-bounds reads in
rxe_resp_check_length() and copy_data().
Introduce get_recv_wqe() that validates num_sge and copies the WQE
to a kernel-local buffer before processing, matching the approach
already used for SRQ WQEs in get_srq_wqe(). The srq_wqe buffer is
reused since SRQ and non-SRQ paths are mutually exclusive per QP.
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://patch.msgid.link/r/20260518215040.1598586-3-tristan@talencesecurity.com
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Diffstat (limited to 'include/linux/xarray.h')
0 files changed, 0 insertions, 0 deletions
