From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com ([192.55.52.120]:47182 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752444AbdDIRPd (ORCPT ); Sun, 9 Apr 2017 13:15:33 -0400 Subject: [PATCH 01/20] IB/core: If the MGID/MLID pair is not on the list return an error From: Dennis Dalessandro To: dledford@redhat.com Cc: linux-rdma@vger.kernel.org, Leon Romanovsky , Ira Weiny , stable@vger.kernel.org, "Michael J. Ruhl" Date: Sun, 09 Apr 2017 10:15:32 -0700 Message-ID: <20170409171530.10579.69447.stgit@scvm10.sc.intel.com> In-Reply-To: <20170409171329.10579.92775.stgit@scvm10.sc.intel.com> References: <20170409171329.10579.92775.stgit@scvm10.sc.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: From: Michael J. Ruhl A list of MGID/MLID pairs is built when doing a multicast attach. When the multicast detach is called, the list is searched, and regardless of the search outcome, the driver detach is called. If an MGID/MLID pair is not on the list, driver detach should not be called, and an error should be returned. Calling the driver without removing an MGID/MLID pair from the list can leave the core and driver out of sync. Fixes: f4e401562c11 ("IB/uverbs: track multicast group membership for userspace QPs") Cc: stable@vger.kernel.org Reviewed-by: Ira Weiny Reviewed-by: Leon Romanovsky Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro --- drivers/infiniband/core/uverbs_cmd.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index b9024fa..27fcbeb 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2647,6 +2647,7 @@ ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file, struct ib_qp *qp; struct ib_uverbs_mcast_entry *mcast; int ret = -EINVAL; + bool found = false; if (copy_from_user(&cmd, buf, sizeof cmd)) return -EFAULT; @@ -2658,18 +2659,22 @@ ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file, obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject); mutex_lock(&obj->mcast_lock); - ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid); - if (ret) - goto out_put; - list_for_each_entry(mcast, &obj->mcast_list, list) if (cmd.mlid == mcast->lid && !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) { list_del(&mcast->list); kfree(mcast); + found = true; break; } + if (!found) { + ret = -EINVAL; + goto out_put; + } + + ret = ib_detach_mcast(qp, (union ib_gid *)cmd.gid, cmd.mlid); + out_put: mutex_unlock(&obj->mcast_lock); uobj_put_obj_read(qp);