From patchwork Tue Apr 10 14:26:23 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
X-Patchwork-Id: 10333271
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9B45F60365 for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 10 Apr 2018 14:26:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D3771FF83
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 10 Apr 2018 14:26:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 814C420182; Tue, 10 Apr 2018 14:26:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5722D1FF83
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue, 10 Apr 2018 14:26:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753704AbeDJO0g (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Tue, 10 Apr 2018 10:26:36 -0400
Received: from userp2120.oracle.com ([156.151.31.85]:59438 "EHLO
	userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753508AbeDJO0f (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Tue, 10 Apr 2018 10:26:35 -0400
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
	by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id
	w3AEPt9h089224
	for <linux-rdma@vger.kernel.org>; Tue, 10 Apr 2018 14:26:34 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
	h=from : to : subject : date : message-id; s=corp-2017-10-26;
	bh=Ay3UliVCS4U60oNSfYzdNJQJzyHEvnwScmvVI12Y6Lg=;
	b=ke0VAOrs9trvVlXuoetGoLtUhNvdcTeOBoi8jJUW5DylJ8fFJHUe4DJhzxn2AbvshoNs
	8wg0D3dJtfEbAkBh00AzZzMu4WhauM5jAXDgCmD+6vWShScaE4txas1oTW8GmJ+nJ9x9
	Gvc3ATyoV8xCGplXVP5UWXj4sgToi+owzj1TneHmUTHPZG6qyWvsdLMYT+clW7FWIWOU
	V4zWrcjPHV0n7y6eUicuSvrXMZNWnE/mCe8aL5mFn1hsrdNZ3DgwolIrVqcs+T+RxXlw
	dFoMKx/dypDxK3aZnN7N2zGQJPbJQMaAk3zTDxSCkHVn4uF6YSW5KYCCAQpPMnxCyTWW
	2g==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
	by userp2120.oracle.com with ESMTP id 2h6pn4jcse-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK)
	for <linux-rdma@vger.kernel.org>; Tue, 10 Apr 2018 14:26:34 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])
	by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id
	w3AEQYtM019478
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK)
	for <linux-rdma@vger.kernel.org>; Tue, 10 Apr 2018 14:26:34 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18])
	by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id
	w3AEQXo1009445
	for <linux-rdma@vger.kernel.org>; Tue, 10 Apr 2018 14:26:33 GMT
Received: from shamir-net-srv.us.oracle.com (/10.211.3.142)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Tue, 10 Apr 2018 07:26:33 -0700
From: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
To: linux-rdma@vger.kernel.org
Subject: [PATCH] RDMA/ucma: ucma_context reference leak in error path
Date: Tue, 10 Apr 2018 10:26:23 -0400
Message-Id: <1523370383-6766-1-git-send-email-shamir.rabinovitch@oracle.com>
X-Mailer: git-send-email 1.7.1
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8858
	signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	suspectscore=1 malwarescore=0
	phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
	adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000 definitions=main-1804100143
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit 6a21dfc ("RDMA/ucma: Limit possible option size") introduced
a bug. running below command would cause tool hanged task warning:
$ udaddy -c 1000 -C 1000 -S 1024 -t 3 -s <server-ip>

Below prints explain what happen:
udaddy: set TOS option failed: Invalid argument

This issue is taken care by commit, 5f3e3b8 ("RDMA/ucma: Correct option
size check using optlen") however this commit did not fix another
issue introduced by commit 6a21dfc where ucma_context ref can leak in
error path.

Fix it!

Fixes: 6a21dfc ("6a21dfc RDMA/ucma: Limit possible option size")
Signed-off-by: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
 drivers/infiniband/core/ucma.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 7432948..53cac78 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1320,8 +1320,10 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
-		return -EINVAL;
+	if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) {
+		ret = -EINVAL;
+		goto out;
+	}
 
 	optval = memdup_user(u64_to_user_ptr(cmd.optval),
 			     cmd.optlen);