Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
"Here are eight fairly small fixes collected over the last two weeks.

Regression and crashing bug fixes:

- mlx4/5: Fixes for issues found from various checkers

- A resource tracking and uverbs regression in the core code

- qedr: NULL pointer regression found during testing

- rxe: Various small bugs"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
IB/rxe: Fix missing completion for mem_reg work requests
RDMA/core: Save kernel caller name when creating CQ using ib_create_cq()
IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write
IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'
RDMA/qedr: Fix NULL pointer dereference when running over iWARP without RDMA-CM
IB/mlx5: Fix return value check in flow_counters_set_data()
IB/mlx5: Fix memory leak in mlx5_ib_create_flow
IB/rxe: avoid double kfree skb

+59 -33
+10 -4
drivers/infiniband/core/uverbs_main.c
··· 736 736 if (ret) 737 737 return ret; 738 738 739 - if (!file->ucontext && 740 - (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) 741 - return -EINVAL; 742 - 743 739 if (extended) { 744 740 if (count < (sizeof(hdr) + sizeof(ex_hdr))) 745 741 return -EINVAL; ··· 752 756 &file->device->disassociate_srcu); 753 757 if (!ib_dev) { 754 758 ret = -EIO; 759 + goto out; 760 + } 761 + 762 + /* 763 + * Must be after the ib_dev check, as once the RCU clears ib_dev == 764 + * NULL means ucontext == NULL 765 + */ 766 + if (!file->ucontext && 767 + (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) { 768 + ret = -EINVAL; 755 769 goto out; 756 770 } 757 771
+8 -6
drivers/infiniband/core/verbs.c
··· 1562 1562 1563 1563 /* Completion queues */ 1564 1564 1565 - struct ib_cq *ib_create_cq(struct ib_device *device, 1566 - ib_comp_handler comp_handler, 1567 - void (*event_handler)(struct ib_event *, void *), 1568 - void *cq_context, 1569 - const struct ib_cq_init_attr *cq_attr) 1565 + struct ib_cq *__ib_create_cq(struct ib_device *device, 1566 + ib_comp_handler comp_handler, 1567 + void (*event_handler)(struct ib_event *, void *), 1568 + void *cq_context, 1569 + const struct ib_cq_init_attr *cq_attr, 1570 + const char *caller) 1570 1571 { 1571 1572 struct ib_cq *cq; 1572 1573 ··· 1581 1580 cq->cq_context = cq_context; 1582 1581 atomic_set(&cq->usecnt, 0); 1583 1582 cq->res.type = RDMA_RESTRACK_CQ; 1583 + cq->res.kern_name = caller; 1584 1584 rdma_restrack_add(&cq->res); 1585 1585 } 1586 1586 1587 1587 return cq; 1588 1588 } 1589 - EXPORT_SYMBOL(ib_create_cq); 1589 + EXPORT_SYMBOL(__ib_create_cq); 1590 1590 1591 1591 int rdma_set_cq_moderation(struct ib_cq *cq, u16 cq_count, u16 cq_period) 1592 1592 {
+5 -2
drivers/infiniband/hw/mlx4/mr.c
··· 486 486 } 487 487 488 488 if (flags & IB_MR_REREG_ACCESS) { 489 - if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) 490 - return -EPERM; 489 + if (ib_access_writable(mr_access_flags) && 490 + !mmr->umem->writable) { 491 + err = -EPERM; 492 + goto release_mpt_entry; 493 + } 491 494 492 495 err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, 493 496 convert_access(mr_access_flags));
+21 -15
drivers/infiniband/hw/mlx5/main.c
··· 3199 3199 if (!mcounters->hw_cntrs_hndl) { 3200 3200 mcounters->hw_cntrs_hndl = mlx5_fc_create( 3201 3201 to_mdev(ibcounters->device)->mdev, false); 3202 - if (!mcounters->hw_cntrs_hndl) { 3203 - ret = -ENOMEM; 3202 + if (IS_ERR(mcounters->hw_cntrs_hndl)) { 3203 + ret = PTR_ERR(mcounters->hw_cntrs_hndl); 3204 3204 goto free; 3205 3205 } 3206 3206 hw_hndl = true; ··· 3546 3546 return ERR_PTR(-ENOMEM); 3547 3547 3548 3548 err = ib_copy_from_udata(ucmd, udata, required_ucmd_sz); 3549 - if (err) { 3550 - kfree(ucmd); 3551 - return ERR_PTR(err); 3552 - } 3549 + if (err) 3550 + goto free_ucmd; 3553 3551 } 3554 3552 3555 - if (flow_attr->priority > MLX5_IB_FLOW_LAST_PRIO) 3556 - return ERR_PTR(-ENOMEM); 3553 + if (flow_attr->priority > MLX5_IB_FLOW_LAST_PRIO) { 3554 + err = -ENOMEM; 3555 + goto free_ucmd; 3556 + } 3557 3557 3558 3558 if (domain != IB_FLOW_DOMAIN_USER || 3559 3559 flow_attr->port > dev->num_ports || 3560 3560 (flow_attr->flags & ~(IB_FLOW_ATTR_FLAGS_DONT_TRAP | 3561 - IB_FLOW_ATTR_FLAGS_EGRESS))) 3562 - return ERR_PTR(-EINVAL); 3561 + IB_FLOW_ATTR_FLAGS_EGRESS))) { 3562 + err = -EINVAL; 3563 + goto free_ucmd; 3564 + } 3563 3565 3564 3566 if (is_egress && 3565 3567 (flow_attr->type == IB_FLOW_ATTR_ALL_DEFAULT || 3566 - flow_attr->type == IB_FLOW_ATTR_MC_DEFAULT)) 3567 - return ERR_PTR(-EINVAL); 3568 + flow_attr->type == IB_FLOW_ATTR_MC_DEFAULT)) { 3569 + err = -EINVAL; 3570 + goto free_ucmd; 3571 + } 3568 3572 3569 3573 dst = kzalloc(sizeof(*dst), GFP_KERNEL); 3570 - if (!dst) 3571 - return ERR_PTR(-ENOMEM); 3574 + if (!dst) { 3575 + err = -ENOMEM; 3576 + goto free_ucmd; 3577 + } 3572 3578 3573 3579 mutex_lock(&dev->flow_db->lock); 3574 3580 ··· 3643 3637 unlock: 3644 3638 mutex_unlock(&dev->flow_db->lock); 3645 3639 kfree(dst); 3640 + free_ucmd: 3646 3641 kfree(ucmd); 3647 - kfree(handler); 3648 3642 return ERR_PTR(err); 3649 3643 } 3650 3644
+3
drivers/infiniband/hw/qedr/verbs.c
··· 1957 1957 } 1958 1958 1959 1959 if (attr_mask & (IB_QP_AV | IB_QP_PATH_MTU)) { 1960 + if (rdma_protocol_iwarp(&dev->ibdev, 1)) 1961 + return -EINVAL; 1962 + 1960 1963 if (attr_mask & IB_QP_PATH_MTU) { 1961 1964 if (attr->path_mtu < IB_MTU_256 || 1962 1965 attr->path_mtu > IB_MTU_4096) {
+4 -1
drivers/infiniband/sw/rxe/rxe_req.c
··· 645 645 } else { 646 646 goto exit; 647 647 } 648 + if ((wqe->wr.send_flags & IB_SEND_SIGNALED) || 649 + qp->sq_sig_type == IB_SIGNAL_ALL_WR) 650 + rxe_run_task(&qp->comp.task, 1); 648 651 qp->req.wqe_index = next_index(qp->sq.queue, 649 652 qp->req.wqe_index); 650 653 goto next_wqe; ··· 712 709 713 710 if (fill_packet(qp, wqe, &pkt, skb, payload)) { 714 711 pr_debug("qp#%d Error during fill packet\n", qp_num(qp)); 712 + kfree_skb(skb); 715 713 goto err; 716 714 } 717 715 ··· 744 740 goto next_wqe; 745 741 746 742 err: 747 - kfree_skb(skb); 748 743 wqe->status = IB_WC_LOC_PROT_ERR; 749 744 wqe->state = wqe_state_error; 750 745 __rxe_do_task(&qp->comp.task);
+8 -5
include/rdma/ib_verbs.h
··· 3391 3391 * 3392 3392 * Users can examine the cq structure to determine the actual CQ size. 3393 3393 */ 3394 - struct ib_cq *ib_create_cq(struct ib_device *device, 3395 - ib_comp_handler comp_handler, 3396 - void (*event_handler)(struct ib_event *, void *), 3397 - void *cq_context, 3398 - const struct ib_cq_init_attr *cq_attr); 3394 + struct ib_cq *__ib_create_cq(struct ib_device *device, 3395 + ib_comp_handler comp_handler, 3396 + void (*event_handler)(struct ib_event *, void *), 3397 + void *cq_context, 3398 + const struct ib_cq_init_attr *cq_attr, 3399 + const char *caller); 3400 + #define ib_create_cq(device, cmp_hndlr, evt_hndlr, cq_ctxt, cq_attr) \ 3401 + __ib_create_cq((device), (cmp_hndlr), (evt_hndlr), (cq_ctxt), (cq_attr), KBUILD_MODNAME) 3399 3402 3400 3403 /** 3401 3404 * ib_resize_cq - Modifies the capacity of the CQ.