Commit 0c124aa5 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'net-smc-fixes-2020-10-14'

Karsten Graul says:

====================
net/smc: fixes 2020-10-14

The first patch fixes a possible use-after-free of delayed llc events.
Patch 2 corrects the number of DMB buffer sizes. And patch 3 ensures
a correctly formatted return code when smc_ism_register_dmb() fails to
create a new DMB.
====================

Link: https://lore.kernel.org/r/20201014174329.35791-1-kgraul@linux.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 1d273fcc 6b1bbf94
...@@ -1597,7 +1597,7 @@ static int smcr_buf_map_usable_links(struct smc_link_group *lgr, ...@@ -1597,7 +1597,7 @@ static int smcr_buf_map_usable_links(struct smc_link_group *lgr,
return rc; return rc;
} }
#define SMCD_DMBE_SIZES 7 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */ #define SMCD_DMBE_SIZES 6 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */
static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr, static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr,
bool is_dmb, int bufsize) bool is_dmb, int bufsize)
...@@ -1616,7 +1616,8 @@ static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr, ...@@ -1616,7 +1616,8 @@ static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr,
rc = smc_ism_register_dmb(lgr, bufsize, buf_desc); rc = smc_ism_register_dmb(lgr, bufsize, buf_desc);
if (rc) { if (rc) {
kfree(buf_desc); kfree(buf_desc);
return (rc == -ENOMEM) ? ERR_PTR(-EAGAIN) : ERR_PTR(rc); return (rc == -ENOMEM) ? ERR_PTR(-EAGAIN) :
ERR_PTR(-EIO);
} }
buf_desc->pages = virt_to_page(buf_desc->cpu_addr); buf_desc->pages = virt_to_page(buf_desc->cpu_addr);
/* CDC header stored in buf. So, pretend it was smaller */ /* CDC header stored in buf. So, pretend it was smaller */
......
...@@ -233,8 +233,6 @@ static bool smc_llc_flow_start(struct smc_llc_flow *flow, ...@@ -233,8 +233,6 @@ static bool smc_llc_flow_start(struct smc_llc_flow *flow,
default: default:
flow->type = SMC_LLC_FLOW_NONE; flow->type = SMC_LLC_FLOW_NONE;
} }
if (qentry == lgr->delayed_event)
lgr->delayed_event = NULL;
smc_llc_flow_qentry_set(flow, qentry); smc_llc_flow_qentry_set(flow, qentry);
spin_unlock_bh(&lgr->llc_flow_lock); spin_unlock_bh(&lgr->llc_flow_lock);
return true; return true;
...@@ -1603,14 +1601,13 @@ static void smc_llc_event_work(struct work_struct *work) ...@@ -1603,14 +1601,13 @@ static void smc_llc_event_work(struct work_struct *work)
struct smc_llc_qentry *qentry; struct smc_llc_qentry *qentry;
if (!lgr->llc_flow_lcl.type && lgr->delayed_event) { if (!lgr->llc_flow_lcl.type && lgr->delayed_event) {
if (smc_link_usable(lgr->delayed_event->link)) {
smc_llc_event_handler(lgr->delayed_event);
} else {
qentry = lgr->delayed_event; qentry = lgr->delayed_event;
lgr->delayed_event = NULL; lgr->delayed_event = NULL;
if (smc_link_usable(qentry->link))
smc_llc_event_handler(qentry);
else
kfree(qentry); kfree(qentry);
} }
}
again: again:
spin_lock_bh(&lgr->llc_event_q_lock); spin_lock_bh(&lgr->llc_event_q_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment