| Message ID | 20160613065341.GA5993@mwanda (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Mon, Jun 13, 2016 at 9:53 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote: > If copy_to_user() fails then it returns the number of bytes not copied. > It would be between 1-4 here. Later the callers dereference it leading > to an Oops. > > It was sort of hard to fix this without making the code confusing so I > did a little cleanup. > > Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks Dan I'll merge it to next series -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jun 13, 2016 at 09:53:41AM +0300, Dan Carpenter wrote: > If copy_to_user() fails then it returns the number of bytes not copied. > It would be between 1-4 here. Later the callers dereference it leading > to an Oops. > > It was sort of hard to fix this without making the code confusing so I > did a little cleanup. > > Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks Dan, I applied it on topic/rxe.
diff --git a/drivers/infiniband/hw/rxe/rxe_srq.c b/drivers/infiniband/hw/rxe/rxe_srq.c index 22c57d1..2a6e3cd 100644 --- a/drivers/infiniband/hw/rxe/rxe_srq.c +++ b/drivers/infiniband/hw/rxe/rxe_srq.c @@ -121,8 +121,7 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, srq_wqe_size); if (!q) { pr_warn("unable to allocate queue for srq\n"); - err = -ENOMEM; - goto err1; + return -ENOMEM; } srq->rq.queue = q; @@ -130,15 +129,14 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, err = do_mmap_info(rxe, udata, false, context, q->buf, q->buf_size, &q->ip); if (err) - goto err1; + return err; - if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32)) - return copy_to_user(udata->outbuf + sizeof(struct mminfo), - &srq->srq_num, sizeof(u32)); - else - return 0; -err1: - return err; + if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32)) { + if (copy_to_user(udata->outbuf + sizeof(struct mminfo), + &srq->srq_num, sizeof(u32))) + return -EFAULT; + } + return 0; } int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,
If copy_to_user() fails then it returns the number of bytes not copied. It would be between 1-4 here. Later the callers dereference it leading to an Oops. It was sort of hard to fix this without making the code confusing so I did a little cleanup. Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html