From patchwork Sat May 30 06:11:27 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Dreier X-Patchwork-Id: 6512341 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id BC2069F1CC for ; Sat, 30 May 2015 06:17:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D6FB9207E6 for ; Sat, 30 May 2015 06:17:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D674A207E1 for ; Sat, 30 May 2015 06:17:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751063AbbE3GRM (ORCPT ); Sat, 30 May 2015 02:17:12 -0400 Received: from na3sys010aog104.obsmtp.com ([74.125.245.76]:60551 "EHLO mail-ig0-f171.google.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751225AbbE3GRL (ORCPT ); Sat, 30 May 2015 02:17:11 -0400 X-Greylist: delayed 393 seconds by postgrey-1.27 at vger.kernel.org; Sat, 30 May 2015 02:17:11 EDT Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na3sys010aob104.postini.com ([74.125.244.12]) with SMTP ID DSNKVWlV56zj1gzmALPo689LOfQO8CGgoJ3z@postini.com; Fri, 29 May 2015 23:17:11 PDT Received: by igbjd9 with SMTP id jd9so29562700igb.1 for ; Fri, 29 May 2015 23:17:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purestorage.com; s=google; h=sender:from:to:cc:subject:date:message-id; bh=QR2Fk7fb8ax8RRqgUlS54d24MJAAMXfINNEV+AiVX2E=; b=eGvLwysJpy8pHULipWnjYw6BtV+IMJJuTavVqElBaqHYYRZz9rEPBpScZGXdlSvEQt f1IVAbgtXwynCzF9C4e7Nhfvz5dOvBT3RBLUoQM93LJi/izjzs/B+UV7v3au7LklS0eE oPPzJeIFFltaI9EBYT1mD8fHxBQM/61J/lSpw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=QR2Fk7fb8ax8RRqgUlS54d24MJAAMXfINNEV+AiVX2E=; b=H0YGMiAnRje6qQL6uP1NijbDb4x4B5aRCQ5ZJfFZcEhAb6/U+yJXz0oeQKJac73RbL 6DMZE6dpDXkxKkXXdomhSh7sunHBg8W3CJgiL/tj1KP9tNjmFrHSjlUgj3mXmeRxaQ7F bIKom8pb8Ux/HEZ/tjR92KyZpfPQYoRKDRWak0BV0qyx9PGE63osXD+VZ+kN8jSfSPfh u0v3n9+2OkV6Z7VnF30wdNw5W9aIjWT98BLdZPnUDL/YuLR9Gh0VJvAPEU6DMargWjUU xVrvSkshAWIU+CEqE8L5Bzkqm05DXNiyJUvCtCsmpOWu+A6Dy0z4W6oOHFchl95PU5lw 3r1g== X-Received: by 10.50.64.244 with SMTP id r20mr1266543igs.33.1432966294027; Fri, 29 May 2015 23:11:34 -0700 (PDT) X-Gm-Message-State: ALoCoQnh1ZaVk0eMDQrZ/74ba9/IYxNyb+bITLJ0VrEcJbaNYA6jREAJrovKZT5vTKRHG1sX8kQxpM6mpZ/ta26pAteUyHUZqj7NbdVBtJlPngyamKFFzMDWFh8F81yw8iQy1Sm4WOYs+g0ZOjZo/rEInr0UlQKQEg== X-Received: by 10.50.64.244 with SMTP id r20mr1266538igs.33.1432966293950; Fri, 29 May 2015 23:11:33 -0700 (PDT) Received: from roland-t440p.purestorage.com (50-206-43-50-static.hfc.comcastbusiness.net. [50.206.43.50]) by mx.google.com with ESMTPSA id d4sm3174404igl.1.2015.05.29.23.11.31 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 29 May 2015 23:11:32 -0700 (PDT) From: Roland Dreier To: Doug Ledford Cc: Or Gerlitz , linux-rdma@vger.kernel.org Subject: [PATCH 2/3] IB/mlx4: Fix error paths in mlx4_ib_create_flow() Date: Fri, 29 May 2015 23:11:27 -0700 Message-Id: <1432966287-12181-1-git-send-email-roland@kernel.org> X-Mailer: git-send-email 2.1.4 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Roland Dreier The unwinding clean up code are err_create_flow starts at the current index i. That means we shouldn't increment i until we're really sure we won't have to destroy the current flow; otherwise we might increment the index, fail inside an is_bonded block, and end up accessing off the end of the reg_id[] array. This was detected by Coverity (CID 1271229). Signed-off-by: Roland Dreier --- drivers/infiniband/hw/mlx4/main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c index cc64400d41ac..8191e176c5b7 100644 --- a/drivers/infiniband/hw/mlx4/main.c +++ b/drivers/infiniband/hw/mlx4/main.c @@ -1185,7 +1185,6 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, &mflow->reg_id[i].id); if (err) goto err_create_flow; - i++; if (is_bonded) { /* Application always sees one port so the mirror rule * must be on port #2 @@ -1200,6 +1199,7 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, j++; } + i++; } if (i < ARRAY_SIZE(type) && flow_attr->type == IB_FLOW_ATTR_NORMAL) { @@ -1207,7 +1207,7 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, &mflow->reg_id[i].id); if (err) goto err_create_flow; - i++; + if (is_bonded) { flow_attr->port = 2; err = mlx4_ib_tunnel_steer_add(qp, flow_attr, @@ -1218,6 +1218,7 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, j++; } /* function to create mirror rule */ + i++; } return &mflow->ibflow;