tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
"Things have been quite slow, only 6 RC patches have been sent to the
list. Regression, user visible bugs, and crashing fixes:

- cxgb4 could wrongly fail MR creation due to a typo

- various crashes if the wrong QP type is mixed in with APIs that
expect other types

- syzkaller oops

- using ERR_PTR and NULL together cases HFI1 to crash in some cases

- mlx5 memory leak in error unwind"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
RDMA/uverbs: Don't fail in creation of multiple flows
IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values
RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
RDMA/uverbs: Protect from attempts to create flows on unsupported QP
iw_cxgb4: correctly enforce the max reg_mr depth

Linus Torvalds 4659fc84 2a7e1211

+39 -27
+17 -11
drivers/infiniband/core/uverbs_cmd.c
··· 3488 3488 struct ib_flow_attr *flow_attr; 3489 3489 struct ib_qp *qp; 3490 3490 struct ib_uflow_resources *uflow_res; 3491 + struct ib_uverbs_flow_spec_hdr *kern_spec; 3491 3492 int err = 0; 3492 - void *kern_spec; 3493 3493 void *ib_spec; 3494 3494 int i; 3495 3495 ··· 3538 3538 if (!kern_flow_attr) 3539 3539 return -ENOMEM; 3540 3540 3541 - memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr)); 3542 - err = ib_copy_from_udata(kern_flow_attr + 1, ucore, 3541 + *kern_flow_attr = cmd.flow_attr; 3542 + err = ib_copy_from_udata(&kern_flow_attr->flow_specs, ucore, 3543 3543 cmd.flow_attr.size); 3544 3544 if (err) 3545 3545 goto err_free_attr; ··· 3557 3557 if (!qp) { 3558 3558 err = -EINVAL; 3559 3559 goto err_uobj; 3560 + } 3561 + 3562 + if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) { 3563 + err = -EINVAL; 3564 + goto err_put; 3560 3565 } 3561 3566 3562 3567 flow_attr = kzalloc(struct_size(flow_attr, flows, ··· 3583 3578 flow_attr->flags = kern_flow_attr->flags; 3584 3579 flow_attr->size = sizeof(*flow_attr); 3585 3580 3586 - kern_spec = kern_flow_attr + 1; 3581 + kern_spec = kern_flow_attr->flow_specs; 3587 3582 ib_spec = flow_attr + 1; 3588 3583 for (i = 0; i < flow_attr->num_of_specs && 3589 - cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) && 3590 - cmd.flow_attr.size >= 3591 - ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) { 3592 - err = kern_spec_to_ib_spec(file->ucontext, kern_spec, ib_spec, 3593 - uflow_res); 3584 + cmd.flow_attr.size >= sizeof(*kern_spec) && 3585 + cmd.flow_attr.size >= kern_spec->size; 3586 + i++) { 3587 + err = kern_spec_to_ib_spec( 3588 + file->ucontext, (struct ib_uverbs_flow_spec *)kern_spec, 3589 + ib_spec, uflow_res); 3594 3590 if (err) 3595 3591 goto err_free; 3596 3592 3597 3593 flow_attr->size += 3598 3594 ((union ib_flow_spec *) ib_spec)->size; 3599 - cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size; 3600 - kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size; 3595 + cmd.flow_attr.size -= kern_spec->size; 3596 + kern_spec = ((void *)kern_spec) + kern_spec->size; 3601 3597 ib_spec += ((union ib_flow_spec *) ib_spec)->size; 3602 3598 } 3603 3599 if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {
+1 -1
drivers/infiniband/hw/cxgb4/mem.c
··· 774 774 { 775 775 struct c4iw_mr *mhp = to_c4iw_mr(ibmr); 776 776 777 - if (unlikely(mhp->mpl_len == mhp->max_mpl_len)) 777 + if (unlikely(mhp->mpl_len == mhp->attr.pbl_size)) 778 778 return -ENOMEM; 779 779 780 780 mhp->mpl[mhp->mpl_len++] = addr;
+1 -1
drivers/infiniband/hw/hfi1/rc.c
··· 271 271 272 272 lockdep_assert_held(&qp->s_lock); 273 273 ps->s_txreq = get_txreq(ps->dev, qp); 274 - if (IS_ERR(ps->s_txreq)) 274 + if (!ps->s_txreq) 275 275 goto bail_no_tx; 276 276 277 277 if (priv->hdr_type == HFI1_PKT_TYPE_9B) {
+2 -2
drivers/infiniband/hw/hfi1/uc.c
··· 1 1 /* 2 - * Copyright(c) 2015, 2016 Intel Corporation. 2 + * Copyright(c) 2015 - 2018 Intel Corporation. 3 3 * 4 4 * This file is provided under a dual BSD/GPLv2 license. When using or 5 5 * redistributing this file, you may do so under either license. ··· 72 72 int middle = 0; 73 73 74 74 ps->s_txreq = get_txreq(ps->dev, qp); 75 - if (IS_ERR(ps->s_txreq)) 75 + if (!ps->s_txreq) 76 76 goto bail_no_tx; 77 77 78 78 if (!(ib_rvt_state_ops[qp->state] & RVT_PROCESS_SEND_OK)) {
+2 -2
drivers/infiniband/hw/hfi1/ud.c
··· 1 1 /* 2 - * Copyright(c) 2015, 2016 Intel Corporation. 2 + * Copyright(c) 2015 - 2018 Intel Corporation. 3 3 * 4 4 * This file is provided under a dual BSD/GPLv2 license. When using or 5 5 * redistributing this file, you may do so under either license. ··· 503 503 u32 lid; 504 504 505 505 ps->s_txreq = get_txreq(ps->dev, qp); 506 - if (IS_ERR(ps->s_txreq)) 506 + if (!ps->s_txreq) 507 507 goto bail_no_tx; 508 508 509 509 if (!(ib_rvt_state_ops[qp->state] & RVT_PROCESS_NEXT_SEND_OK)) {
+2 -2
drivers/infiniband/hw/hfi1/verbs_txreq.c
··· 1 1 /* 2 - * Copyright(c) 2016 - 2017 Intel Corporation. 2 + * Copyright(c) 2016 - 2018 Intel Corporation. 3 3 * 4 4 * This file is provided under a dual BSD/GPLv2 license. When using or 5 5 * redistributing this file, you may do so under either license. ··· 94 94 struct rvt_qp *qp) 95 95 __must_hold(&qp->s_lock) 96 96 { 97 - struct verbs_txreq *tx = ERR_PTR(-EBUSY); 97 + struct verbs_txreq *tx = NULL; 98 98 99 99 write_seqlock(&dev->txwait_lock); 100 100 if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+2 -2
drivers/infiniband/hw/hfi1/verbs_txreq.h
··· 1 1 /* 2 - * Copyright(c) 2016 Intel Corporation. 2 + * Copyright(c) 2016 - 2018 Intel Corporation. 3 3 * 4 4 * This file is provided under a dual BSD/GPLv2 license. When using or 5 5 * redistributing this file, you may do so under either license. ··· 83 83 if (unlikely(!tx)) { 84 84 /* call slow path to get the lock */ 85 85 tx = __get_txreq(dev, qp); 86 - if (IS_ERR(tx)) 86 + if (!tx) 87 87 return tx; 88 88 } 89 89 tx->qp = qp;
+12 -6
drivers/infiniband/hw/mlx5/srq.c
··· 266 266 267 267 desc_size = sizeof(struct mlx5_wqe_srq_next_seg) + 268 268 srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg); 269 - if (desc_size == 0 || srq->msrq.max_gs > desc_size) 270 - return ERR_PTR(-EINVAL); 269 + if (desc_size == 0 || srq->msrq.max_gs > desc_size) { 270 + err = -EINVAL; 271 + goto err_srq; 272 + } 271 273 desc_size = roundup_pow_of_two(desc_size); 272 274 desc_size = max_t(size_t, 32, desc_size); 273 - if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) 274 - return ERR_PTR(-EINVAL); 275 + if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) { 276 + err = -EINVAL; 277 + goto err_srq; 278 + } 275 279 srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) / 276 280 sizeof(struct mlx5_wqe_data_seg); 277 281 srq->msrq.wqe_shift = ilog2(desc_size); 278 282 buf_size = srq->msrq.max * desc_size; 279 - if (buf_size < desc_size) 280 - return ERR_PTR(-EINVAL); 283 + if (buf_size < desc_size) { 284 + err = -EINVAL; 285 + goto err_srq; 286 + } 281 287 in.type = init_attr->srq_type; 282 288 283 289 if (pd->uobject)