From patchwork Mon Jun 13 06:53:41 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 9172103
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	BA4EA6048C for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 13 Jun 2016 06:54:23 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD5D222064
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 13 Jun 2016 06:54:23 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A0CE1264F4; Mon, 13 Jun 2016 06:54:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3328A22064
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 13 Jun 2016 06:54:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S964873AbcFMGyF (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Mon, 13 Jun 2016 02:54:05 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:20553 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S964818AbcFMGyE (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Mon, 13 Jun 2016 02:54:04 -0400
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id u5D6rpmH004618
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Mon, 13 Jun 2016 06:53:51 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
	by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u5D6roei020707
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Mon, 13 Jun 2016 06:53:51 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
	by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id
	u5D6rn6i001455; Mon, 13 Jun 2016 06:53:50 GMT
Received: from mwanda (/154.0.139.178)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Sun, 12 Jun 2016 23:53:49 -0700
Date: Mon, 13 Jun 2016 09:53:41 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Moni Shoua <monis@mellanox.com>
Cc: Doug Ledford <dledford@redhat.com>, Sean Hefty <sean.hefty@intel.com>,
	Hal Rosenstock <hal.rosenstock@gmail.com>,
	linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] IB/rxe: fix error code in rxe_srq_from_init()
Message-ID: <20160613065341.GA5993@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If copy_to_user() fails then it returns the number of bytes not copied.
It would be between 1-4 here.  Later the callers dereference it leading
to an Oops.

It was sort of hard to fix this without making the code confusing so I
did a little cleanup.

Fixes: 443c15d23220 ('IB/rxe: Shared Receive Queue (SRQ) manipulation functions')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/infiniband/hw/rxe/rxe_srq.c b/drivers/infiniband/hw/rxe/rxe_srq.c
index 22c57d1..2a6e3cd 100644
--- a/drivers/infiniband/hw/rxe/rxe_srq.c
+++ b/drivers/infiniband/hw/rxe/rxe_srq.c
@@ -121,8 +121,7 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
 			   srq_wqe_size);
 	if (!q) {
 		pr_warn("unable to allocate queue for srq\n");
-		err = -ENOMEM;
-		goto err1;
+		return -ENOMEM;
 	}
 
 	srq->rq.queue = q;
@@ -130,15 +129,14 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
 	err = do_mmap_info(rxe, udata, false, context, q->buf,
 			   q->buf_size, &q->ip);
 	if (err)
-		goto err1;
+		return err;
 
-	if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32))
-		return copy_to_user(udata->outbuf + sizeof(struct mminfo),
-			&srq->srq_num, sizeof(u32));
-	else
-		return 0;
-err1:
-	return err;
+	if (udata && udata->outlen >= sizeof(struct mminfo) + sizeof(u32)) {
+		if (copy_to_user(udata->outbuf + sizeof(struct mminfo),
+				 &srq->srq_num, sizeof(u32)))
+			return -EFAULT;
+	}
+	return 0;
 }
 
 int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,