Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 303851e1 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma 

Pull rdma fixes from Jason Gunthorpe:
 "Not much exciting here, almost entirely syzkaller fixes.

  This is going to be on ongoing theme for some time, I think. Both
  Google and Mellanox are now running syzkaller on different parts of
  the user API.

  Summary:

   - Many bug fixes related to syzkaller from Leon Romanovsky. These are
     still for the mlx driver and ucma interface.

   - Fix a situation with port reuse for iWarp, discovered during
     scale-up testing

   - Bug fixes for the profile and restrack patches accepted during this
     merge window

   - Compile warning cleanups from Arnd, this is apparently the last
     warning to make 32 bit builds quiet"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/ucma: Ensure that CM_ID exists prior to access it
  RDMA/verbs: Remove restrack entry from XRCD structure
  RDMA/ucma: Fix use-after-free access in ucma_close
  RDMA/ucma: Check AF family prior resolving address
  infiniband: bnxt_re: use BIT_ULL() for 64-bit bit masks
  infiniband: qplib_fp: fix pointer cast
  IB/mlx5: Fix cleanup order on unload
  RDMA/ucma: Don't allow join attempts for unsupported AF family
  RDMA/ucma: Fix access to non-initialized CM_ID object
  RDMA/core: Do not use invalid destination in determining port reuse
  RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory
  IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
  IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
parents 76c0b6a3 e8980d67

drivers/infiniband/core/cma.c

+10 −5
Original line number Diff line number Diff line
@@ -3069,7 +3069,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list, 
			continue;



		/* different dest port -> unique */

		if (!cma_any_port(cur_daddr) &&

		if (!cma_any_port(daddr) &&

		    !cma_any_port(cur_daddr) &&

		    (dport != cur_dport))

			continue;
@@ -3080,7 +3081,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list, 
			continue;



		/* different dst address -> unique */

		if (!cma_any_addr(cur_daddr) &&

		if (!cma_any_addr(daddr) &&

		    !cma_any_addr(cur_daddr) &&

		    cma_addr_cmp(daddr, cur_daddr))

			continue;
@@ -3378,13 +3380,13 @@ int rdma_bind_addr(struct rdma_cm_id *id, struct sockaddr *addr) 
		}

#endif

	}

	daddr = cma_dst_addr(id_priv);

	daddr->sa_family = addr->sa_family;



	ret = cma_get_port(id_priv);

	if (ret)

		goto err2;



	daddr = cma_dst_addr(id_priv);

	daddr->sa_family = addr->sa_family;



	return 0;

err2:

	if (id_priv->cma_dev)
@@ -4173,6 +4175,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, 
	struct cma_multicast *mc;

	int ret;



	if (!id->device)

		return -EINVAL;



	id_priv = container_of(id, struct rdma_id_private, id);

	if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&

	    !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))

drivers/infiniband/core/ucma.c

+26 −10
Original line number Diff line number Diff line
@@ -132,7 +132,7 @@ static inline struct ucma_context *_ucma_find_context(int id, 
	ctx = idr_find(&ctx_idr, id);

	if (!ctx)

		ctx = ERR_PTR(-ENOENT);

	else if (ctx->file != file)

	else if (ctx->file != file || !ctx->cm_id)

		ctx = ERR_PTR(-EINVAL);

	return ctx;

}
@@ -456,6 +456,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, 
	struct rdma_ucm_create_id cmd;

	struct rdma_ucm_create_id_resp resp;

	struct ucma_context *ctx;

	struct rdma_cm_id *cm_id;

	enum ib_qp_type qp_type;

	int ret;
@@ -476,10 +477,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, 
		return -ENOMEM;



	ctx->uid = cmd.uid;

	ctx->cm_id = rdma_create_id(current->nsproxy->net_ns,

	cm_id = rdma_create_id(current->nsproxy->net_ns,

			       ucma_event_handler, ctx, cmd.ps, qp_type);

	if (IS_ERR(ctx->cm_id)) {

		ret = PTR_ERR(ctx->cm_id);

	if (IS_ERR(cm_id)) {

		ret = PTR_ERR(cm_id);

		goto err1;

	}
@@ -489,14 +490,19 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, 
		ret = -EFAULT;

		goto err2;

	}



	ctx->cm_id = cm_id;

	return 0;



err2:

	rdma_destroy_id(ctx->cm_id);

	rdma_destroy_id(cm_id);

err1:

	mutex_lock(&mut);

	idr_remove(&ctx_idr, ctx->id);

	mutex_unlock(&mut);

	mutex_lock(&file->mut);

	list_del(&ctx->list);

	mutex_unlock(&file->mut);

	kfree(ctx);

	return ret;

}
@@ -664,19 +670,23 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file, 
			       int in_len, int out_len)

{

	struct rdma_ucm_resolve_ip cmd;

	struct sockaddr *src, *dst;

	struct ucma_context *ctx;

	int ret;



	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))

		return -EFAULT;



	src = (struct sockaddr *) &cmd.src_addr;

	dst = (struct sockaddr *) &cmd.dst_addr;

	if (!rdma_addr_size(src) || !rdma_addr_size(dst))

		return -EINVAL;



	ctx = ucma_get_ctx(file, cmd.id);

	if (IS_ERR(ctx))

		return PTR_ERR(ctx);



	ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,

				(struct sockaddr *) &cmd.dst_addr,

				cmd.timeout_ms);

	ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);

	ucma_put_ctx(ctx);

	return ret;

}
@@ -1349,7 +1359,7 @@ static ssize_t ucma_process_join(struct ucma_file *file, 
		return -ENOSPC;



	addr = (struct sockaddr *) &cmd->addr;

	if (!cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))

	if (cmd->addr_size != rdma_addr_size(addr))

		return -EINVAL;



	if (cmd->join_flags == RDMA_MC_JOIN_FLAG_FULLMEMBER)
@@ -1417,6 +1427,9 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file, 
	join_cmd.uid = cmd.uid;

	join_cmd.id = cmd.id;

	join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);

	if (!join_cmd.addr_size)

		return -EINVAL;



	join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;

	memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
@@ -1432,6 +1445,9 @@ static ssize_t ucma_join_multicast(struct ucma_file *file, 
	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))

		return -EFAULT;



	if (!rdma_addr_size((struct sockaddr *)&cmd.addr))

		return -EINVAL;



	return ucma_process_join(file, &cmd, out_len);

}

drivers/infiniband/hw/bnxt_re/bnxt_re.h

+2 −2
Original line number Diff line number Diff line
@@ -57,8 +57,8 @@ 
#define BNXT_RE_PAGE_SIZE_8M		BIT(BNXT_RE_PAGE_SHIFT_8M)

#define BNXT_RE_PAGE_SIZE_1G		BIT(BNXT_RE_PAGE_SHIFT_1G)



#define BNXT_RE_MAX_MR_SIZE_LOW		BIT(BNXT_RE_PAGE_SHIFT_1G)

#define BNXT_RE_MAX_MR_SIZE_HIGH	BIT(39)

#define BNXT_RE_MAX_MR_SIZE_LOW		BIT_ULL(BNXT_RE_PAGE_SHIFT_1G)

#define BNXT_RE_MAX_MR_SIZE_HIGH	BIT_ULL(39)

#define BNXT_RE_MAX_MR_SIZE		BNXT_RE_MAX_MR_SIZE_HIGH



#define BNXT_RE_MAX_QPC_COUNT		(64 * 1024)

drivers/infiniband/hw/bnxt_re/ib_verbs.c

+1 −1
Original line number Diff line number Diff line
@@ -3598,7 +3598,7 @@ struct ib_mr *bnxt_re_reg_user_mr(struct ib_pd *ib_pd, u64 start, u64 length, 
	int umem_pgs, page_shift, rc;



	if (length > BNXT_RE_MAX_MR_SIZE) {

		dev_err(rdev_to_dev(rdev), "MR Size: %lld > Max supported:%ld\n",

		dev_err(rdev_to_dev(rdev), "MR Size: %lld > Max supported:%lld\n",

			length, BNXT_RE_MAX_MR_SIZE);

		return ERR_PTR(-ENOMEM);

	}

drivers/infiniband/hw/bnxt_re/qplib_fp.c

+2 −2
Original line number Diff line number Diff line
@@ -243,7 +243,7 @@ static void bnxt_qplib_service_nq(unsigned long data) 
	u32 sw_cons, raw_cons;

	u16 type;

	int budget = nq->budget;

	u64 q_handle;

	uintptr_t q_handle;



	/* Service the NQ until empty */

	raw_cons = hwq->cons;
@@ -526,7 +526,7 @@ int bnxt_qplib_create_srq(struct bnxt_qplib_res *res, 


	/* Configure the request */

	req.dpi = cpu_to_le32(srq->dpi->dpi);

	req.srq_handle = cpu_to_le64(srq);

	req.srq_handle = cpu_to_le64((uintptr_t)srq);



	req.srq_size = cpu_to_le16((u16)srq->hwq.max_elements);

	pbl = &srq->hwq.pbl[PBL_LVL_0];