RDMA/rxe: missing unlock on error in get_srq_wqe()

Commit Message

Dan Carpenter June 25, 2021, 1:03 p.m. UTC

This error path needs to unlock before returning.

Fixes: ec0fa2445c18 ("RDMA/rxe: Fix over copying in get_srq_wqe")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I'm sort of surprised this one wasn't caught in testing...

 drivers/infiniband/sw/rxe/rxe_resp.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Majd Dibbiny June 25, 2021, 1:11 p.m. UTC | #1

> On Jun 25, 2021, at 4:03 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> This error path needs to unlock before returning.
> 
> Fixes: ec0fa2445c18 ("RDMA/rxe: Fix over copying in get_srq_wqe")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Majd Dibbiny <majd@nvidia.com>
> ---
> I'm sort of surprised this one wasn't caught in testing...
> 
> drivers/infiniband/sw/rxe/rxe_resp.c | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
> index 72cdb170b67b..3743dc39b60c 100644
> --- a/drivers/infiniband/sw/rxe/rxe_resp.c
> +++ b/drivers/infiniband/sw/rxe/rxe_resp.c
> @@ -314,6 +314,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp)
> 
>   /* don't trust user space data */
>   if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) {
> +        spin_unlock_bh(&srq->rq.consumer_lock);
>       pr_warn("%s: invalid num_sge in SRQ entry\n", __func__);
>       return RESPST_ERR_MALFORMED_WQE;
>   }
> -- 
> 2.30.2

Bob Pearson June 25, 2021, 2:32 p.m. UTC | #2

On 6/25/21 8:03 AM, Dan Carpenter wrote:
> This error path needs to unlock before returning.
> 
> Fixes: ec0fa2445c18 ("RDMA/rxe: Fix over copying in get_srq_wqe")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I'm sort of surprised this one wasn't caught in testing...
> 
>  drivers/infiniband/sw/rxe/rxe_resp.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
> index 72cdb170b67b..3743dc39b60c 100644
> --- a/drivers/infiniband/sw/rxe/rxe_resp.c
> +++ b/drivers/infiniband/sw/rxe/rxe_resp.c
> @@ -314,6 +314,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp)
>  
>  	/* don't trust user space data */
>  	if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) {
> +		spin_unlock_bh(&srq->rq.consumer_lock);
>  		pr_warn("%s: invalid num_sge in SRQ entry\n", __func__);
>  		return RESPST_ERR_MALFORMED_WQE;
>  	}
> 

This is correct. Thanks.
Bob Pearson

Bob Pearson June 25, 2021, 2:33 p.m. UTC | #3

On 6/25/21 9:32 AM, Bob Pearson wrote:
> On 6/25/21 8:03 AM, Dan Carpenter wrote:
>> This error path needs to unlock before returning.
>>
>> Fixes: ec0fa2445c18 ("RDMA/rxe: Fix over copying in get_srq_wqe")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> ---
>> I'm sort of surprised this one wasn't caught in testing...
>>
>>  drivers/infiniband/sw/rxe/rxe_resp.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
>> index 72cdb170b67b..3743dc39b60c 100644
>> --- a/drivers/infiniband/sw/rxe/rxe_resp.c
>> +++ b/drivers/infiniband/sw/rxe/rxe_resp.c
>> @@ -314,6 +314,7 @@ static enum resp_states get_srq_wqe(struct rxe_qp *qp)
>>  
>>  	/* don't trust user space data */
>>  	if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) {
>> +		spin_unlock_bh(&srq->rq.consumer_lock);
>>  		pr_warn("%s: invalid num_sge in SRQ entry\n", __func__);
>>  		return RESPST_ERR_MALFORMED_WQE;
>>  	}
>>
> 
> This is correct. Thanks.
> Bob Pearson 
> 
Should say
Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>

Jason Gunthorpe June 25, 2021, 3:03 p.m. UTC | #4

On Fri, Jun 25, 2021 at 04:03:06PM +0300, Dan Carpenter wrote:
> This error path needs to unlock before returning.
> 
> Fixes: ec0fa2445c18 ("RDMA/rxe: Fix over copying in get_srq_wqe")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Majd Dibbiny <majd@nvidia.com>
> Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
> ---
> I'm sort of surprised this one wasn't caught in testing...

Probably because you have to make malformed wqe's..

Applied to for-next, thanks

Jason

Patch

diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index 72cdb170b67b..3743dc39b60c 100644
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -314,6 +314,7 @@  static enum resp_states get_srq_wqe(struct rxe_qp *qp)
 
 	/* don't trust user space data */
 	if (unlikely(wqe->dma.num_sge > srq->rq.max_sge)) {
+		spin_unlock_bh(&srq->rq.consumer_lock);
 		pr_warn("%s: invalid num_sge in SRQ entry\n", __func__);
 		return RESPST_ERR_MALFORMED_WQE;
 	}