commit 8cbab92dff778e516064c13113ca15d4869ec883 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Doug Ledford:
"We had a few more items creep up over the last week. Given we are in
-rc8, these are obviously limited to bugs that have a big downside and
for which we are certain of the fix.

The first is a straight up oops bug that all you have to do is read
the code to see it's a guaranteed 100% oops bug.

The second is a use-after-free issue. We get away lucky if the queue
we are shutting down is empty, but if it isn't, we can end up oopsing.
We really need to drain the queue before destroying it.

The final one is an issue with bad user input causing us to access our
port array out of bounds. While fixing the array out of bounds issue,
it was noticed that the original code did the same thing twice (the
call to rdma_ah_set_port_num()), so its removal is not balanced by a
readd elsewhere, it was already where it needed to be in addition to
where it didn't need to be.

Summary:

- Oops fix in hfi1 driver

- use-after-free issue in iser-target

- use of user supplied array index without proper checking"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/mlx5: Fix out-of-bound access while querying AH
IB/hfi1: Prevent a NULL dereference
iser-target: Fix possible use-after-free in connection establishment error

Linus Torvalds 8 years ago 8cbab92d b45a53be

+6 -6

3 changed files

expand all

unified split

drivers

infiniband

hfi1

file_ops.c

mlx5

qp.c

ulp

isert

ib_isert.c

+2 -2

drivers/infiniband/hw/hfi1/file_ops.c

··· 763 } 764 765 if (ret) { 766 - hfi1_rcd_put(fd->uctxt); 767 - fd->uctxt = NULL; 768 spin_lock_irqsave(&fd->dd->uctxt_lock, flags); 769 __clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts); 770 spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags); 771 } 772 773 return ret;

··· 763 } 764 765 if (ret) { 766 spin_lock_irqsave(&fd->dd->uctxt_lock, flags); 767 __clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts); 768 spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags); 769 + hfi1_rcd_put(fd->uctxt); 770 + fd->uctxt = NULL; 771 } 772 773 return ret;

+3 -4

drivers/infiniband/hw/mlx5/qp.c

··· 4362 4363 memset(ah_attr, 0, sizeof(*ah_attr)); 4364 4365 - ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port); 4366 - rdma_ah_set_port_num(ah_attr, path->port); 4367 - if (rdma_ah_get_port_num(ah_attr) == 0 || 4368 - rdma_ah_get_port_num(ah_attr) > MLX5_CAP_GEN(dev, num_ports)) 4369 return; 4370 4371 rdma_ah_set_port_num(ah_attr, path->port); 4372 rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf);

··· 4362 4363 memset(ah_attr, 0, sizeof(*ah_attr)); 4364 4365 + if (!path->port || path->port > MLX5_CAP_GEN(dev, num_ports)) 4366 return; 4367 + 4368 + ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port); 4369 4370 rdma_ah_set_port_num(ah_attr, path->port); 4371 rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf);

drivers/infiniband/ulp/isert/ib_isert.c

··· 741 { 742 struct isert_conn *isert_conn = cma_id->qp->qp_context; 743 744 list_del_init(&isert_conn->node); 745 isert_conn->cm_id = NULL; 746 isert_put_conn(isert_conn);

··· 741 { 742 struct isert_conn *isert_conn = cma_id->qp->qp_context; 743 744 + ib_drain_qp(isert_conn->qp); 745 list_del_init(&isert_conn->node); 746 isert_conn->cm_id = NULL; 747 isert_put_conn(isert_conn);