From nobody Sun Oct 5 21:59:54 2025 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7175F291C2F for ; Tue, 29 Jul 2025 12:03:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753790636; cv=none; b=jiqTfnLNdR4O+A544NMQ9w/L0d9C5pRz9hOHZJ45hQhgIZLPPd9zqmi1l3xNz/HEc4kTHjoa/55PaMG3A8qoLydCJnP+MRJZbskEH8RlJFCTQ3hUDoMwip7UeTVuDijHji8OfLfn3EgQ0BokToYSWXxRZirJZqCTKNm8UsbCuzY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753790636; c=relaxed/simple; bh=NHLC2E1wT8s9zqv+wU+mGxlEZqtQg8+G0zst3AXCLOk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Js9vZVcEECWx3CkbA8RY5qI/l0YknMJY9KtOWPjlp//CBL8HhEfi2VcrWsndVIC65M0c3pNJGeEIBnjo5h0jNTiia5JX5BTRcb/fk/Vm6II+bOU/xKAe+UwnM9lGPe4Kg9y+vuXou1KXM0bN+rk8FJFSg7LvrG/dt7ddYFfpfk0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=XtJCeYlB; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=2gTfL68T; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=XtJCeYlB; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=2gTfL68T; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="XtJCeYlB"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="2gTfL68T"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="XtJCeYlB"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="2gTfL68T" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 69F9A1F385; Tue, 29 Jul 2025 12:03:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1753790632; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=J0XRPjML4mLkSrnriwK6SqbV6JTvs/+OMjrGpcQkY60=; b=XtJCeYlBOBMphfzBASk29AT60ZxONQrTpxdmyfAbTxnb/8JuDfgxqCqqw7xKrrJuFxIHTf G6D3J71PFMuPHYax1syPLYD1d4tq27MUdZ30IMxCJKY0H5bed06reZnXB4+c3u4Um+cSKE RY3EZ0dANLe6iGx5UVsey6oxM3meKgY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1753790632; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=J0XRPjML4mLkSrnriwK6SqbV6JTvs/+OMjrGpcQkY60=; b=2gTfL68TAlrWDeCcPnskaHrjv1hiZZJ28qVZramfsYwWXZYLjYF/R/ehHFa3j7XzcGdDSp YM0PlqwLRNCIDyAQ== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=XtJCeYlB; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=2gTfL68T DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1753790632; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=J0XRPjML4mLkSrnriwK6SqbV6JTvs/+OMjrGpcQkY60=; b=XtJCeYlBOBMphfzBASk29AT60ZxONQrTpxdmyfAbTxnb/8JuDfgxqCqqw7xKrrJuFxIHTf G6D3J71PFMuPHYax1syPLYD1d4tq27MUdZ30IMxCJKY0H5bed06reZnXB4+c3u4Um+cSKE RY3EZ0dANLe6iGx5UVsey6oxM3meKgY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1753790632; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=J0XRPjML4mLkSrnriwK6SqbV6JTvs/+OMjrGpcQkY60=; b=2gTfL68TAlrWDeCcPnskaHrjv1hiZZJ28qVZramfsYwWXZYLjYF/R/ehHFa3j7XzcGdDSp YM0PlqwLRNCIDyAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 789BC13A73; Tue, 29 Jul 2025 12:03:51 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id ucgnGqe4iGipAwAAD6G6ig (envelope-from ); Tue, 29 Jul 2025 12:03:51 +0000 From: Pedro Falcato To: Jason Gunthorpe , Bernard Metzler , Leon Romanovsky , Vlastimil Babka Cc: Jakub Kicinski , David Howells , Tom Talpey , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, torvalds@linux-foundation.org, Pedro Falcato , stable@vger.kernel.org, kernel test robot Subject: [PATCH v2] RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Date: Tue, 29 Jul 2025 13:03:48 +0100 Message-ID: <20250729120348.495568-1-pfalcato@suse.de> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-3.01 / 50.00]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_RATELIMITED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWELVE(0.00)[14]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[suse.de:+]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,suse.de:dkim,suse.de:email] X-Spam-Flag: NO X-Spam-Level: X-Rspamd-Queue-Id: 69F9A1F385 X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -3.01 Content-Type: text/plain; charset="utf-8" Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp_sendpages(struct socket *s, struct page **page, int offs= et, size_t size) [...] /* Calculate the number of bytes we need to push, for this page * specifically */ size_t bytes =3D min_t(size_t, PAGE_SIZE - offset, size); /* If we can't splice it, then copy it in, as normal */ if (!sendpage_ok(page[i])) msg.msg_flags &=3D ~MSG_SPLICE_PAGES; /* Set the bvec pointing to the page, with len $bytes */ bvec_set_page(&bvec, page[i], bytes, offset); /* Set the iter to $size, aka the size of the whole sendpages (!!!)= */ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); try_page_again: lock_sock(sk); /* Sendmsg with $size size (!!!) */ rv =3D tcp_sendmsg_locked(sk, &msg, size); This means we've been sending oversized iov_iters and tcp_sendmsg calls for a while. This has a been a benign bug because sendpage_ok() always returned true. With the recent slab allocator changes being slowly introduced into next (that disallow sendpage on large kmalloc allocations), we have recently hit out-of-bounds crashes, due to slight differences in iov_iter behavior between the MSG_SPLICE_PAGES and "regular" copy paths: (MSG_SPLICE_PAGES) skb_splice_from_iter iov_iter_extract_pages iov_iter_extract_bvec_pages uses i->nr_segs to correctly stop in its tracks before OoB'ing everyw= here skb_splice_from_iter gets a "short" read (!MSG_SPLICE_PAGES) skb_copy_to_page_nocache copy=3Diov_iter_count [...] copy_from_iter /* this doesn't help */ if (unlikely(iter->count < len)) len =3D iter->count; iterate_bvec ... and we run off the bvecs Fix this by properly setting the iov_iter's byte count, plus sending the correct byte count to tcp_sendmsg_locked. Cc: stable@vger.kernel.org Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com Reviewed-by: David Howells Signed-off-by: Pedro Falcato Acked-by: Bernard Metzler --- v2: - Add David Howells's Rb on the original patch - Remove the offset increment, since it's dead code drivers/infiniband/sw/siw/siw_qp_tx.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/= siw/siw_qp_tx.c index 3a08f57d2211..f7dd32c6e5ba 100644 --- a/drivers/infiniband/sw/siw/siw_qp_tx.c +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c @@ -340,18 +340,17 @@ static int siw_tcp_sendpages(struct socket *s, struct= page **page, int offset, if (!sendpage_ok(page[i])) msg.msg_flags &=3D ~MSG_SPLICE_PAGES; bvec_set_page(&bvec, page[i], bytes, offset); - iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); + iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, bytes); =20 try_page_again: lock_sock(sk); - rv =3D tcp_sendmsg_locked(sk, &msg, size); + rv =3D tcp_sendmsg_locked(sk, &msg, bytes); release_sock(sk); =20 if (rv > 0) { size -=3D rv; sent +=3D rv; if (rv !=3D bytes) { - offset +=3D rv; bytes -=3D rv; goto try_page_again; } --=20 2.50.1