Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4659fc84 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma 

Pull rdma fixes from Jason Gunthorpe:
 "Things have been quite slow, only 6 RC patches have been sent to the
  list. Regression, user visible bugs, and crashing fixes:

   - cxgb4 could wrongly fail MR creation due to a typo

   - various crashes if the wrong QP type is mixed in with APIs that
     expect other types

   - syzkaller oops

   - using ERR_PTR and NULL together cases HFI1 to crash in some cases

   - mlx5 memory leak in error unwind"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
  RDMA/uverbs: Don't fail in creation of multiple flows
  IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values
  RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
  RDMA/uverbs: Protect from attempts to create flows on unsupported QP
  iw_cxgb4: correctly enforce the max reg_mr depth
parents 2a7e1211 d63c4673

drivers/infiniband/core/uverbs_cmd.c

+17 −11
Original line number Diff line number Diff line
@@ -3488,8 +3488,8 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, 
	struct ib_flow_attr		  *flow_attr;

	struct ib_qp			  *qp;

	struct ib_uflow_resources	  *uflow_res;

	struct ib_uverbs_flow_spec_hdr	  *kern_spec;

	int err = 0;

	void *kern_spec;

	void *ib_spec;

	int i;
@@ -3538,8 +3538,8 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, 
		if (!kern_flow_attr)

			return -ENOMEM;



		memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));

		err = ib_copy_from_udata(kern_flow_attr + 1, ucore,

		*kern_flow_attr = cmd.flow_attr;

		err = ib_copy_from_udata(&kern_flow_attr->flow_specs, ucore,

					 cmd.flow_attr.size);

		if (err)

			goto err_free_attr;
@@ -3559,6 +3559,11 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, 
		goto err_uobj;

	}



	if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) {

		err = -EINVAL;

		goto err_put;

	}



	flow_attr = kzalloc(struct_size(flow_attr, flows,

				cmd.flow_attr.num_of_specs), GFP_KERNEL);

	if (!flow_attr) {
@@ -3578,21 +3583,22 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, 
	flow_attr->flags = kern_flow_attr->flags;

	flow_attr->size = sizeof(*flow_attr);



	kern_spec = kern_flow_attr + 1;

	kern_spec = kern_flow_attr->flow_specs;

	ib_spec = flow_attr + 1;

	for (i = 0; i < flow_attr->num_of_specs &&

	     cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) &&

	     cmd.flow_attr.size >=

	     ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) {

		err = kern_spec_to_ib_spec(file->ucontext, kern_spec, ib_spec,

					   uflow_res);

			cmd.flow_attr.size >= sizeof(*kern_spec) &&

			cmd.flow_attr.size >= kern_spec->size;

	     i++) {

		err = kern_spec_to_ib_spec(

				file->ucontext, (struct ib_uverbs_flow_spec *)kern_spec,

				ib_spec, uflow_res);

		if (err)

			goto err_free;



		flow_attr->size +=

			((union ib_flow_spec *) ib_spec)->size;

		cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size;

		kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size;

		cmd.flow_attr.size -= kern_spec->size;

		kern_spec = ((void *)kern_spec) + kern_spec->size;

		ib_spec += ((union ib_flow_spec *) ib_spec)->size;

	}

	if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {

drivers/infiniband/hw/cxgb4/mem.c

+1 −1
Original line number Diff line number Diff line
@@ -774,7 +774,7 @@ static int c4iw_set_page(struct ib_mr *ibmr, u64 addr) 
{

	struct c4iw_mr *mhp = to_c4iw_mr(ibmr);



	if (unlikely(mhp->mpl_len == mhp->max_mpl_len))

	if (unlikely(mhp->mpl_len == mhp->attr.pbl_size))

		return -ENOMEM;



	mhp->mpl[mhp->mpl_len++] = addr;

drivers/infiniband/hw/hfi1/rc.c

+1 −1
Original line number Diff line number Diff line
@@ -271,7 +271,7 @@ int hfi1_make_rc_req(struct rvt_qp *qp, struct hfi1_pkt_state *ps) 


	lockdep_assert_held(&qp->s_lock);

	ps->s_txreq = get_txreq(ps->dev, qp);

	if (IS_ERR(ps->s_txreq))

	if (!ps->s_txreq)

		goto bail_no_tx;



	if (priv->hdr_type == HFI1_PKT_TYPE_9B) {

drivers/infiniband/hw/hfi1/uc.c

+2 −2
Original line number Diff line number Diff line 
/*

 * Copyright(c) 2015, 2016 Intel Corporation.

 * Copyright(c) 2015 - 2018 Intel Corporation.

 *

 * This file is provided under a dual BSD/GPLv2 license.  When using or

 * redistributing this file, you may do so under either license.
@@ -72,7 +72,7 @@ int hfi1_make_uc_req(struct rvt_qp *qp, struct hfi1_pkt_state *ps) 
	int middle = 0;



	ps->s_txreq = get_txreq(ps->dev, qp);

	if (IS_ERR(ps->s_txreq))

	if (!ps->s_txreq)

		goto bail_no_tx;



	if (!(ib_rvt_state_ops[qp->state] & RVT_PROCESS_SEND_OK)) {

drivers/infiniband/hw/hfi1/ud.c

+2 −2
Original line number Diff line number Diff line 
/*

 * Copyright(c) 2015, 2016 Intel Corporation.

 * Copyright(c) 2015 - 2018 Intel Corporation.

 *

 * This file is provided under a dual BSD/GPLv2 license.  When using or

 * redistributing this file, you may do so under either license.
@@ -503,7 +503,7 @@ int hfi1_make_ud_req(struct rvt_qp *qp, struct hfi1_pkt_state *ps) 
	u32 lid;



	ps->s_txreq = get_txreq(ps->dev, qp);

	if (IS_ERR(ps->s_txreq))

	if (!ps->s_txreq)

		goto bail_no_tx;



	if (!(ib_rvt_state_ops[qp->state] & RVT_PROCESS_NEXT_SEND_OK)) {