Commit 8cbab92d authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Doug Ledford:
 "We had a few more items creep up over the last week. Given we are in
  -rc8, these are obviously limited to bugs that have a big downside and
  for which we are certain of the fix.

  The first is a straight up oops bug that all you have to do is read
  the code to see it's a guaranteed 100% oops bug.

  The second is a use-after-free issue. We get away lucky if the queue
  we are shutting down is empty, but if it isn't, we can end up oopsing.
  We really need to drain the queue before destroying it.

  The final one is an issue with bad user input causing us to access our
  port array out of bounds. While fixing the array out of bounds issue,
  it was noticed that the original code did the same thing twice (the
  call to rdma_ah_set_port_num()), so its removal is not balanced by a
  readd elsewhere, it was already where it needed to be in addition to
  where it didn't need to be.

  Summary:

   - Oops fix in hfi1 driver

   - use-after-free issue in iser-target

   - use of user supplied array index without proper checking"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/mlx5: Fix out-of-bound access while querying AH
  IB/hfi1: Prevent a NULL dereference
  iser-target: Fix possible use-after-free in connection establishment error
parents b45a53be ae59c3f0
...@@ -763,11 +763,11 @@ static int complete_subctxt(struct hfi1_filedata *fd) ...@@ -763,11 +763,11 @@ static int complete_subctxt(struct hfi1_filedata *fd)
} }
if (ret) { if (ret) {
hfi1_rcd_put(fd->uctxt);
fd->uctxt = NULL;
spin_lock_irqsave(&fd->dd->uctxt_lock, flags); spin_lock_irqsave(&fd->dd->uctxt_lock, flags);
__clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts); __clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts);
spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags); spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags);
hfi1_rcd_put(fd->uctxt);
fd->uctxt = NULL;
} }
return ret; return ret;
......
...@@ -4362,12 +4362,11 @@ static void to_rdma_ah_attr(struct mlx5_ib_dev *ibdev, ...@@ -4362,12 +4362,11 @@ static void to_rdma_ah_attr(struct mlx5_ib_dev *ibdev,
memset(ah_attr, 0, sizeof(*ah_attr)); memset(ah_attr, 0, sizeof(*ah_attr));
ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port); if (!path->port || path->port > MLX5_CAP_GEN(dev, num_ports))
rdma_ah_set_port_num(ah_attr, path->port);
if (rdma_ah_get_port_num(ah_attr) == 0 ||
rdma_ah_get_port_num(ah_attr) > MLX5_CAP_GEN(dev, num_ports))
return; return;
ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port);
rdma_ah_set_port_num(ah_attr, path->port); rdma_ah_set_port_num(ah_attr, path->port);
rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf); rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf);
......
...@@ -741,6 +741,7 @@ isert_connect_error(struct rdma_cm_id *cma_id) ...@@ -741,6 +741,7 @@ isert_connect_error(struct rdma_cm_id *cma_id)
{ {
struct isert_conn *isert_conn = cma_id->qp->qp_context; struct isert_conn *isert_conn = cma_id->qp->qp_context;
ib_drain_qp(isert_conn->qp);
list_del_init(&isert_conn->node); list_del_init(&isert_conn->node);
isert_conn->cm_id = NULL; isert_conn->cm_id = NULL;
isert_put_conn(isert_conn); isert_put_conn(isert_conn);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment