From: Markus Elfring <Markus.Elfring@web.de>
To: linux-rdma@vger.kernel.org, Cheng Xu <chengyou@linux.alibaba.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Kai Shen <kaishen@linux.alibaba.com>,
Leon Romanovsky <leon@kernel.org>,
Yang Li <yang.lee@linux.alibaba.com>
Cc: LKML <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org
Subject: [PATCH v2] RDMA/erdma: Fix exception handling in erdma_accept_newconn()
Date: Thu, 13 Mar 2025 13:10:21 +0100 [thread overview]
Message-ID: <2e9ae1d6-4bbb-470f-957f-bb6ea2e0829e@web.de> (raw)
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Thu, 13 Mar 2025 11:44:50 +0100
The label “error” was used to jump to another pointer check despite of
the detail in the implementation of the function “erdma_accept_newconn”
that it was determined already that corresponding variables contained
still null pointers.
1. Thus return directly if
* the cep state is not the value “ERDMA_EPSTATE_LISTENING”
or
* a call of the function “erdma_cep_alloc” failed.
2. Use more appropriate labels instead.
3. Delete two questionable checks.
4. Omit extra initialisations (for the variables “new_cep”, “new_s” and “ret”)
which became unnecessary with this refactoring.
This issue was detected by using the Coccinelle software.
Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
See also:
* https://lore.kernel.org/cocci/167179d0-e1ea-39a8-4143-949ad57294c2@linux.alibaba.com/
* https://lkml.org/lkml/2023/3/19/191
V2:
The change suggestion was rebased on source files of the software “Linux next-20250313”.
A corresponding implementation detail was improved by the commit 83437689249e6a17b25e27712fbee292e42e7855
("RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()") on 2025-03-06.
drivers/infiniband/hw/erdma/erdma_cm.c | 37 +++++++++++---------------
1 file changed, 16 insertions(+), 21 deletions(-)
diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c
index e0acc185e719..a7a79722e940 100644
--- a/drivers/infiniband/hw/erdma/erdma_cm.c
+++ b/drivers/infiniband/hw/erdma/erdma_cm.c
@@ -642,16 +642,16 @@ static int erdma_proc_mpareply(struct erdma_cep *cep)
static void erdma_accept_newconn(struct erdma_cep *cep)
{
struct socket *s = cep->sock;
- struct socket *new_s = NULL;
- struct erdma_cep *new_cep = NULL;
- int ret = 0;
+ struct socket *new_s;
+ struct erdma_cep *new_cep;
+ int ret;
if (cep->state != ERDMA_EPSTATE_LISTENING)
- goto error;
+ return;
new_cep = erdma_cep_alloc(cep->dev);
if (!new_cep)
- goto error;
+ return;
/*
* 4: Allocate a sufficient number of work elements
@@ -659,7 +659,7 @@ static void erdma_accept_newconn(struct erdma_cep *cep)
* events, MPA header processing + MPA timeout.
*/
if (erdma_cm_alloc_work(new_cep, 4) != 0)
- goto error;
+ goto put_cep;
/*
* Copy saved socket callbacks from listening CEP
@@ -671,7 +671,7 @@ static void erdma_accept_newconn(struct erdma_cep *cep)
ret = kernel_accept(s, &new_s, O_NONBLOCK);
if (ret != 0)
- goto error;
+ goto put_cep;
new_cep->sock = new_s;
erdma_cep_get(new_cep);
@@ -682,7 +682,7 @@ static void erdma_accept_newconn(struct erdma_cep *cep)
ret = erdma_cm_queue_work(new_cep, ERDMA_CM_WORK_MPATIMEOUT);
if (ret)
- goto error;
+ goto disassoc_socket;
new_cep->listen_cep = cep;
erdma_cep_get(cep);
@@ -696,25 +696,20 @@ static void erdma_accept_newconn(struct erdma_cep *cep)
new_cep->listen_cep = NULL;
if (ret) {
erdma_cep_set_free(new_cep);
- goto error;
+ goto disassoc_socket;
}
}
erdma_cep_set_free(new_cep);
}
return;
-error:
- if (new_cep) {
- new_cep->state = ERDMA_EPSTATE_CLOSED;
- erdma_cancel_mpatimer(new_cep);
-
- erdma_cep_put(new_cep);
- }
-
- if (new_s) {
- erdma_socket_disassoc(new_s);
- sock_release(new_s);
- }
+disassoc_socket:
+ erdma_socket_disassoc(new_s);
+ sock_release(new_s);
+ new_cep->state = ERDMA_EPSTATE_CLOSED;
+ erdma_cancel_mpatimer(new_cep);
+put_cep:
+ erdma_cep_put(new_cep);
}
static int erdma_newconn_connected(struct erdma_cep *cep)
--
2.48.1
next reply other threads:[~2025-03-13 12:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 12:10 Markus Elfring [this message]
2025-03-17 2:27 ` [PATCH v2] RDMA/erdma: Fix exception handling in erdma_accept_newconn() Cheng Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2e9ae1d6-4bbb-470f-957f-bb6ea2e0829e@web.de \
--to=markus.elfring@web.de \
--cc=chengyou@linux.alibaba.com \
--cc=jgg@ziepe.ca \
--cc=kaishen@linux.alibaba.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=yang.lee@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox