From patchwork Thu Nov 2 23:21:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qing Huang X-Patchwork-Id: 10039375 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9C6216032D for ; Thu, 2 Nov 2017 23:21:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 89A7029455 for ; Thu, 2 Nov 2017 23:21:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C32F2945A; Thu, 2 Nov 2017 23:21:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0342C29455 for ; Thu, 2 Nov 2017 23:21:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934412AbdKBXVt (ORCPT ); Thu, 2 Nov 2017 19:21:49 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:36906 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934385AbdKBXVt (ORCPT ); Thu, 2 Nov 2017 19:21:49 -0400 Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vA2NLf6l017857 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Nov 2017 23:21:41 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vA2NLf3u003716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Nov 2017 23:21:41 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vA2NLfEZ004533; Thu, 2 Nov 2017 23:21:41 GMT Received: from qing-ol6-work.us.oracle.com (/10.132.91.100) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 02 Nov 2017 16:21:40 -0700 From: Qing Huang To: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org Cc: dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com, ira.weiny@intel.com, markb@mellanox.com, Qing Huang Subject: [PATCH] IB/CM: fix memory corruption by avoiding unnecessary memset Date: Thu, 2 Nov 2017 16:21:44 -0700 Message-Id: <20171102232144.13668-1-qing.huang@oracle.com> X-Mailer: git-send-email 2.9.3 X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The size of path array could be dynamic. However the fixed number(2) of memset could cause memory corruption by writing into wrong memory space. Fixes: 9fdca4da4d8c (IB/SA: Split struct sa_path_rec based on IB ands ROCE specific fields) Signed-off-by: Qing Huang --- drivers/infiniband/core/cm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index 4c4b465..af4f6a0 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c @@ -1856,7 +1856,9 @@ static int cm_req_handler(struct cm_work *work) cm_process_routed_req(req_msg, work->mad_recv_wc->wc); memset(&work->path[0], 0, sizeof(work->path[0])); - memset(&work->path[1], 0, sizeof(work->path[1])); + if (cm_req_has_alt_path(req_msg)) + memset(&work->path[1], 0, sizeof(work->path[1])); + grh = rdma_ah_read_grh(&cm_id_priv->av.ah_attr); ret = ib_get_cached_gid(work->port->cm_dev->ib_device, work->port->port_num, @@ -3823,8 +3825,8 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent, switch (mad_recv_wc->recv_buf.mad->mad_hdr.attr_id) { case CM_REQ_ATTR_ID: - paths = 1 + (((struct cm_req_msg *) mad_recv_wc->recv_buf.mad)-> - alt_local_lid != 0); + paths = 1 + cm_req_has_alt_path( + (struct cm_req_msg *)mad_recv_wc->recv_buf.mad); event = IB_CM_REQ_RECEIVED; break; case CM_MRA_ATTR_ID: