Date: Thu, 2 Aug 2018 08:17:09 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r337079 - stable/11/sys/ofed/drivers/infiniband/core Message-ID: <201808020817.w728H97S039578@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Thu Aug 2 08:17:09 2018 New Revision: 337079 URL: https://svnweb.freebsd.org/changeset/base/337079 Log: MFC r336373: Ensure that CM_ID exists prior to access it in ibcore. Prior to access UCMA commands, the context should be initialized and connected to CM_ID with ucma_create_id(). In case user skips this step, he can provide non-valid ctx without CM_ID and cause to multiple NULL dereferences. Also there are situations where the create_id can be raced with other user access, ensure that the context is only shared to other threads once it is fully initialized to avoid the races. Linux commit: e8980d67d6017c8eee8f9c35f782c4bd68e004c9 Sponsored by: Mellanox Technologies Modified: stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c ============================================================================== --- stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c Thu Aug 2 08:15:05 2018 (r337078) +++ stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c Thu Aug 2 08:17:09 2018 (r337079) @@ -124,7 +124,7 @@ static inline struct ucma_context *_ucma_find_context( ctx = idr_find(&ctx_idr, id); if (!ctx) ctx = ERR_PTR(-ENOENT); - else if (ctx->file != file) + else if (ctx->file != file || !ctx->cm_id) ctx = ERR_PTR(-EINVAL); return ctx; } @@ -446,6 +446,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, struct rdma_ucm_create_id cmd; struct rdma_ucm_create_id_resp resp; struct ucma_context *ctx; + struct rdma_cm_id *cm_id; enum ib_qp_type qp_type; int ret; @@ -466,10 +467,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, return -ENOMEM; ctx->uid = cmd.uid; - ctx->cm_id = rdma_create_id(TD_TO_VNET(curthread), - ucma_event_handler, ctx, cmd.ps, qp_type); - if (IS_ERR(ctx->cm_id)) { - ret = PTR_ERR(ctx->cm_id); + cm_id = rdma_create_id(TD_TO_VNET(curthread), + ucma_event_handler, ctx, cmd.ps, qp_type); + if (IS_ERR(cm_id)) { + ret = PTR_ERR(cm_id); goto err1; } @@ -479,10 +480,12 @@ static ssize_t ucma_create_id(struct ucma_file *file, ret = -EFAULT; goto err2; } + + ctx->cm_id = cm_id; return 0; err2: - rdma_destroy_id(ctx->cm_id); + rdma_destroy_id(cm_id); err1: mutex_lock(&mut); idr_remove(&ctx_idr, ctx->id);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808020817.w728H97S039578>