Date: Tue, 17 Jul 2018 09:14:21 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336374 - head/sys/ofed/drivers/infiniband/core Message-ID: <201807170914.w6H9EL5n013213@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Tue Jul 17 09:14:20 2018 New Revision: 336374 URL: https://svnweb.freebsd.org/changeset/base/336374 Log: Avoid that ib_drain_qp() triggers an out-of-bounds stack access in ibcore. Linux commit: a1ae7d0345edd593d6725d3218434d903a0af95d MFC after: 1 week Sponsored by: Mellanox Technologies Modified: head/sys/ofed/drivers/infiniband/core/ib_verbs.c Modified: head/sys/ofed/drivers/infiniband/core/ib_verbs.c ============================================================================== --- head/sys/ofed/drivers/infiniband/core/ib_verbs.c Tue Jul 17 09:13:11 2018 (r336373) +++ head/sys/ofed/drivers/infiniband/core/ib_verbs.c Tue Jul 17 09:14:20 2018 (r336374) @@ -1940,7 +1940,13 @@ static void __ib_drain_sq(struct ib_qp *qp) { struct ib_qp_attr attr = { .qp_state = IB_QPS_ERR }; struct ib_drain_cqe sdrain; - struct ib_send_wr swr = {}, *bad_swr; + struct ib_send_wr *bad_swr; + struct ib_rdma_wr swr = { + .wr = { + .opcode = IB_WR_RDMA_WRITE, + .wr_cqe = &sdrain.cqe, + }, + }; int ret; if (qp->send_cq->poll_ctx == IB_POLL_DIRECT) { @@ -1949,7 +1955,6 @@ static void __ib_drain_sq(struct ib_qp *qp) return; } - swr.wr_cqe = &sdrain.cqe; sdrain.cqe.done = ib_drain_qp_done; init_completion(&sdrain.done); @@ -1959,7 +1964,7 @@ static void __ib_drain_sq(struct ib_qp *qp) return; } - ret = ib_post_send(qp, &swr, &bad_swr); + ret = ib_post_send(qp, &swr.wr, &bad_swr); if (ret) { WARN_ONCE(ret, "failed to drain send queue: %d\n", ret); return;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807170914.w6H9EL5n013213>