From: Dan Carpenter <dan.carpenter@oracle.com>
To: Moni Shoua <monis@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch] IB/rxe: fix error code in rxe_srq_from_init()
Date: Mon, 13 Jun 2016 06:53:41 +0000 [thread overview]
Message-ID: <20160613065341.GA5993@mwanda> (raw)
If copy_to_user() fails then it returns the number of bytes not copied.
It would be between 1-4 here. Later the callers dereference it leading
to an Oops.
It was sort of hard to fix this without making the code confusing so I
did a little cleanup.
Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/infiniband/hw/rxe/rxe_srq.c b/drivers/infiniband/hw/rxe/rxe_srq.c
index 22c57d1..2a6e3cd 100644
--- a/drivers/infiniband/hw/rxe/rxe_srq.c
+++ b/drivers/infiniband/hw/rxe/rxe_srq.c
@@ -121,8 +121,7 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
srq_wqe_size);
if (!q) {
pr_warn("unable to allocate queue for srq\n");
- err = -ENOMEM;
- goto err1;
+ return -ENOMEM;
}
srq->rq.queue = q;
@@ -130,15 +129,14 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
err = do_mmap_info(rxe, udata, false, context, q->buf,
q->buf_size, &q->ip);
if (err)
- goto err1;
+ return err;
- if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32))
- return copy_to_user(udata->outbuf + sizeof(struct mminfo),
- &srq->srq_num, sizeof(u32));
- else
- return 0;
-err1:
- return err;
+ if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32)) {
+ if (copy_to_user(udata->outbuf + sizeof(struct mminfo),
+ &srq->srq_num, sizeof(u32)))
+ return -EFAULT;
+ }
+ return 0;
}
int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Moni Shoua <monis@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [patch] IB/rxe: fix error code in rxe_srq_from_init()
Date: Mon, 13 Jun 2016 09:53:41 +0300 [thread overview]
Message-ID: <20160613065341.GA5993@mwanda> (raw)
If copy_to_user() fails then it returns the number of bytes not copied.
It would be between 1-4 here. Later the callers dereference it leading
to an Oops.
It was sort of hard to fix this without making the code confusing so I
did a little cleanup.
Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/infiniband/hw/rxe/rxe_srq.c b/drivers/infiniband/hw/rxe/rxe_srq.c
index 22c57d1..2a6e3cd 100644
--- a/drivers/infiniband/hw/rxe/rxe_srq.c
+++ b/drivers/infiniband/hw/rxe/rxe_srq.c
@@ -121,8 +121,7 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
srq_wqe_size);
if (!q) {
pr_warn("unable to allocate queue for srq\n");
- err = -ENOMEM;
- goto err1;
+ return -ENOMEM;
}
srq->rq.queue = q;
@@ -130,15 +129,14 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
err = do_mmap_info(rxe, udata, false, context, q->buf,
q->buf_size, &q->ip);
if (err)
- goto err1;
+ return err;
- if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32))
- return copy_to_user(udata->outbuf + sizeof(struct mminfo),
- &srq->srq_num, sizeof(u32));
- else
- return 0;
-err1:
- return err;
+ if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32)) {
+ if (copy_to_user(udata->outbuf + sizeof(struct mminfo),
+ &srq->srq_num, sizeof(u32)))
+ return -EFAULT;
+ }
+ return 0;
}
int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,
next reply other threads:[~2016-06-13 6:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 6:53 Dan Carpenter [this message]
2016-06-13 6:53 ` [patch] IB/rxe: fix error code in rxe_srq_from_init() Dan Carpenter
2016-06-13 7:24 ` Moni Shoua
2016-06-13 7:24 ` Moni Shoua
2016-06-13 13:20 ` Leon Romanovsky
2016-06-13 13:20 ` Leon Romanovsky
2016-06-13 13:20 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160613065341.GA5993@mwanda \
--to=dan.carpenter@oracle.com \
--cc=dledford@redhat.com \
--cc=hal.rosenstock@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=monis@mellanox.com \
--cc=sean.hefty@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.