From patchwork Thu Aug 9 21:06:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Gunthorpe X-Patchwork-Id: 10561915 X-Patchwork-Delegate: jgg@ziepe.ca Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7466915A6 for ; Thu, 9 Aug 2018 21:07:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5EC122BB30 for ; Thu, 9 Aug 2018 21:07:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 52DB42BB3F; Thu, 9 Aug 2018 21:07:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 587D72BB30 for ; Thu, 9 Aug 2018 21:07:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727319AbeHIXdr (ORCPT ); Thu, 9 Aug 2018 19:33:47 -0400 Received: from mail-eopbgr50079.outbound.protection.outlook.com ([40.107.5.79]:8136 "EHLO EUR03-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727208AbeHIXdr (ORCPT ); Thu, 9 Aug 2018 19:33:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EqoSwrySy1lQwt/twwThpVfig0w+yZNIi65W2QcyjcM=; b=F2SLRN1oePsuE7KQ+UdwPGdXrnWlf3Nkp0QxEUnJ78Ld1hmTMQ5avfEgB807ROChF+eAWUHen0Qa3oEhDKw5V23BwORmKus4VSnTh17avHrrkjMD8JqGzgHM7t6ZxqCw7+8HYp17tE951pMP5YCBZvTy5HhXwOY0tSpk1QXXqts= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=jgg@mellanox.com; Received: from mlx.ziepe.ca (174.3.196.123) by DB7PR05MB4457.eurprd05.prod.outlook.com (2603:10a6:5:1b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1038.23; Thu, 9 Aug 2018 21:07:07 +0000 Received: from jgg by mlx with local (Exim 4.90_1) (envelope-from ) id 1fns91-0000w4-1d; Thu, 09 Aug 2018 15:06:55 -0600 Date: Thu, 9 Aug 2018 15:06:55 -0600 From: Jason Gunthorpe To: linux-rdma@vger.kernel.org, Yishai Hadas , Leon Romanovsky Subject: [PATCH] IB/mlx5: Fix leaking stack memory to userspace Message-ID: <20180809210655.GA3574@ziepe.ca> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Originating-IP: [174.3.196.123] X-ClientProxiedBy: BN6PR03CA0007.namprd03.prod.outlook.com (2603:10b6:404:23::17) To DB7PR05MB4457.eurprd05.prod.outlook.com (2603:10a6:5:1b::22) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b9a2f001-4901-43a7-a781-08d5fe3c10d3 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(8989117)(5600074)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020);SRVR:DB7PR05MB4457; X-Microsoft-Exchange-Diagnostics: 1;DB7PR05MB4457;3:tCU3OzrCEyD90s55YbFiRLcIrOe/lkSX3SRgYfx7/uQkpoM0/pO4LCD6RKGxf0TtS/WNV2lJUWMOhdL22lgcGJWhroAYkmyoCYGuW0zOMQqmULbyFuLZKuPZE6U6j9d9k1DxPAsv897KgEkW+DrwSZOkUlA0dXHbQ6IvxC7u6lMwK+GUeW0J/oLOAQXb+Kq7E0aAViloHl4iO2esK4WX1CXPkOhSzoAOQLgp6QQzFFEwk+HN5GxWdmullx9L1YcO;25:QuKvR68dloxv7PC0yzPcd6+gQO0Xi7X51gR+wEcS/HUIkPyo+PV0tIWMcwHAIK9tPef5UTiYL3/9YXkKgfh3ES7wVjZCCxmsXFdAsvRHEpivSBjhCqLeoik48zjQnrHOfFRVH5fAWS6plwfJbkiRlqZZxgUpynLqA8CjxfrpOQzJKYNj3XcCqQ2/DKS88B/vOJjvIP0wlnFtf5+dLMKKVTeQOxIdtM8bvXy1XoOPo8JXAOOWHJOUe8umNybULUFRFAwj/24lGRNUxnRqG6jnUZgkmsK4V2ZUDk2Az0jEqx2DvbxBtTlNekiX+j0VYsiNULcOLXU6smIqw6bLMJ5luQ==;31:26kD0k/RUlGM3jxAgN9zpm17eqZWUq1Y2Jc2g8nlYFmpHrXA1re8YiW5DhSwBuC5GCjytr0Ivr9SQTC3Fwdz+R3+h+8JzFdsGRUkpPamaJWCrr0+0XoUTcYBlCvEKUGW3oEThP/hqWYIW+F2tYcDn20LLQX7N+VtWHlB5KA0ua/3f51dTaH21V1NSGfeyrLTD1dToEfEMfRMKlUqo+fTOYYYaJQ+Tr4DPnAGeBZpmUY= X-MS-TrafficTypeDiagnostic: DB7PR05MB4457: X-Microsoft-Exchange-Diagnostics: 1;DB7PR05MB4457;20:Xvvgl4SUT/Hv+jfZinIY5md53FgTehirQbQw6LJ+Oyhclm3TX11WACEpesiJOUwopmjns1bAoyU4/Td36qXKzAtkpAkpTbgpyh7DpEu4ZhXQqjyB2XGmI2uiy3Y5D9Q8I8gM+2k7j0YrAdhsNZVp/uTfnMZSs1K6qBpY6mhFUNo927HoHX5TDY+J4uwVYIAWXcBoe/vcis2V57fWo1No27ugfEI953QjWVVMkYDV8mKj4eVlKbsNdlm7FVjVIRzP3b0kpZptm6sQzpRdKl4UmFGYrYpzkheasNfY+hMF03V9EzyYcEO1MrjRVzElXwo0wgx2K4jKcIUT5GB8J8n5AFeWKQM7YpsH738mYtYSsboqycBWmYbpt4J0qxmUr4lkgcF8Ev4vefE5zOeV8ePoy3dtMPnQSMlIgiBXM0eAsEmlihyFBsBhcL2BIWxkZLA3LmtZkszXnU1kL6bfqVvBBaKfXqbQTIjP3bH/RCc82u9FKDhJbsRvkPFgF+Bo31Qr;4:LtHu3opHr/UAgzC0YTHLIEFknQ00+woubnEvBacsttwuu8zwnLELD0HvwslCa8JsDNBAvcMd5Ha+yPLUKrkoyLK4rgT5nR2ANY3sv3BWza18SKs2TTjSEHhYRj0ADw/uFscauSs7PFjEl7Ka1Pg4T5rddWSpgEanr3chYz1wce95YEKaLWPWW8GtZka5Ek3SjKbJyNeSo4ml86kJK6GMliJAgm58+ssZYcHNdVr+nKEwZSJCTgxnD7jYtMaI0WUP5g35GeUlh7GgWsB9UWcmAKWDxjwbB/QC9bFz9uLEdZT5fPUgKxYiuVfZIxaKjrwk X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(9452136761055); X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231311)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(6072148)(201708071742011)(7699016);SRVR:DB7PR05MB4457;BCL:0;PCL:0;RULEID:;SRVR:DB7PR05MB4457; X-Forefront-PRVS: 0759F7A50A X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(376002)(366004)(346002)(39860400002)(396003)(136003)(189003)(199004)(5660300001)(9786002)(9746002)(105586002)(81156014)(79686004)(122856001)(68736007)(57986006)(86362001)(476003)(53936002)(97736004)(36756003)(8936002)(9686003)(33656002)(106356001)(8676002)(305945005)(83796002)(7736002)(6636002)(81166006)(58126008)(52116002)(33896004)(47776003)(2906002)(26005)(110136005)(186003)(316002)(486006)(1857600001)(16586007)(6116002)(69596002)(50466002)(23726003)(1076002)(426003)(3846002)(478600001)(386003)(46656002)(66066001)(18370500001)(24400500001)(42262002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB7PR05MB4457;H:mlx.ziepe.ca;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; Received-SPF: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: 1;DB7PR05MB4457;23:ixk6RTVNTIe2/OY/9h6nHsxG0JLtxu10bS7G8INgxLiB1B+dhT3kBTQeWNBoGCpfTy63xbqVj6yODRHuwWqZhDitwXboSLHC2Yl9FmhnD0OayckPIn88JyaAk77kmNkJJrXJqGCB4S2YsGK+HsLS0fZebaft0GOP0WFB3siPq9VA4F6+Q0+xPt8FA7vGCbE8l2o2qyDxXv09QsCZXvvFaMk8j8/iN8vYDWRGhXorLFNJ2DpFb4IvxsIy309XAx9BFcFHZrqXJFzdTTgjgqGkzLSDuxwZrithkdDBs9DLL9wqipFkzyp/Sr6+BJ2PgEI5SRpAMKqpVQbYJwsjOTAnbXnBAGXLHLnTkHs19rZJlhpntg2cNCr7fhsx2/szp4W8zBYfNA9tK8kv8374O9xcAJG1KS5+K/d3HTuXKFChrfPsx6RNXZI35Hsd9+eaE0jotOjN6JZY2y9aY6UL+VJ/mQewZGPAmwO2uq1n6Our5pG8NBlxxOw+lx75ULEw71cXNA7ngDzo5/vv3Wthz0cGNSd7oZVOFklkuP+v5VTFyNV911kZE512Io+g7w+S1JwI9czT6j0IUsWGnqQ0Y6FgOXoIR5uV7hDKkqO/me5U9bdC94aJRkcuQ/VuWZgrz9Yu7WRZxu2kAvyUok5Qf2e+MWANUz3aJQJlTBeOZmJThUd3XgVOBEezq45h5eBiOy/eGYRxbtogy9HtPQpxb8+UlQaRueLiAnOVEiPeiobdThJ6t92QEr8QMXYgMUVPuyXCp9dHbnT2hsJ5DP7Zs1c+xkgzX2RKc+9T5rby2PG9q4G9yDVBJBFqYyIzs1V+llNa8tbQ6xHdTgdkkQ0wtuiSa1IlnmJJjsOr0zGoKHo/kMULWYHQkmqqqixgYjhwSR946fJSgFKKyyZwXqND0wfUW+GVDfOzPaxI/uE8tAz+QKlP6AU0aaP9ru7pArpKjtcdyq/PxM2+KDFhvt7W/V/tUjQr/uVCvl5TKNJsAP6lAAVCiusOdKOFeXmNtUFOtgF01uQFhj92tqK2YRNonqwpuUat4fYLpU7xogqYcfYfUrMr83QsSkpiIK/9GmgLLvI5CCRBo7wsqnIR/770jWYPXQY1s9ds9dlV8Ib4bKYiBV9gfyVw/VDTBMFMNhns2UWTwRYDWCxX82yca26aR/PnJvC5Qz7KHFoF4V7px2WEkTHn0+Hqv9TMiCDGlcbYS68pzItwXXTN9/M4SrsGHkCNTg5hejiaahTlS+jl0PAIEh9/NHOLgl47X50H2BOKgyK+P2oJnt2Qz5J32XdVL/4jIqelljfWn9/lCBFju1WYCBE= X-Microsoft-Antispam-Message-Info: uWemHq0yk9g3mXvWai9QS88lh9p4RqwO1mT7GzBCQy7b3zmir5W/GUTucMRhgHtUJ8S+P7GYUlK8DKTWQaVKiA8hmW1h08GaPsJVUOADGgDWu96iCPtJsIzKENlnG4Eu0HIwpqzw5i6DvF3aoBEVJPOV+Nm8fjlxbJ+2oJdCzxhYdHdM4c3pcfDHUNlstvBeHuYR1BRhrk1yosN4LKROjZDWOZSNrbF5TSWB6V8PH1Yg7TCWigm4ZFle/MuGwjZI9IV9umTN7PIyTxADozs61horG7uE+lwTfM1NAH78fRSXtcTdcMU1OwQHJASdBOjy7tNiTiNR8dcw5+k9AziGgcfQ29B33UrzdtkORm1IdI8= X-Microsoft-Exchange-Diagnostics: 1;DB7PR05MB4457;6:CJEZNtvBl88zv4hX0pdAW4HInQA+rcbS5MeVTP3m5MBqq+c6awEJ0S5sDzkEe1XQyfn9J0FrN0HbijDDrfJE42Qxq/kGkJLRIgd5KbxsTfMmxep9B2JKOxkNKjOUPEyfYgHtimEoJ3ycoURIUF2i5TsvnXwb5H38kkIrP8viTum9lZbqsN79bspKr/lcVbnzedVzNhH1KYqD8+IgyJYDLZnmTAFDuw66jL2V/3xCoV/CWJEv1mSHqhInhyTryJvF0ol8tAU1dPgg1G7O4DWEc0QlTd2SHYN5U9MKsAm314jUjz3L2yI1oZrEdZF8/XQ+GHNRRDxsEnuK+hBCfA76KYkjfB22bzKj4ro2UeJ1NsT8vwj+3owkRFV2W7Bd0R/f1sTDaZotdnkEFL4dHyOCu68iklIGC1YJaNSS2DG/p8qEr5JkASoDkGEL0t/htUiGZRFpyCEct3mdnAmez2/Yww==;5:KRznoiFV8knUuDwyfpHDT0Xlf617SzvUKMTo+4Eqw+kOCDjyqWnlcMe2shCQ3nHPIAfyMc6xR5UL0AqmU96eRTKIKGsC+8bX4BRL42pU+5NsE2DCzP5NVOJHAPJ0gl6UQhsTjBjAd72EejXkGD4MatotUs1EwsIZ+Q6ozonb7Eo=;7:0Oe3LBbyvK62+Yr659NGzD5JJbxCsFw+OrqK89xzlp4mWuaBKmCb0z7xUaFSouP5ohbZIVQCReQfQkhbOrpUuLDnoB1vORjKX4suA6m3RVxr5wvQEkGE/otICS7XP7HdvrLgIZXCXECdVToA3DpSJZyFAaR7ej5a54Kjuo7Hrd/8rrNgcmoejOIm7OzP5b8dI7pqRtAImpSHgUTxjoZUX/tvpPUea7F9qgySCh8r3P7zez6V3hh9u7Y9NaynzV44 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2018 21:07:07.6582 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b9a2f001-4901-43a7-a781-08d5fe3c10d3 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR05MB4457 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes were written. Static checkers missed this because the struct was un-necessarily created in a different function, so consolidate that too. Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp") Cc: Signed-off-by: Jason Gunthorpe Acked-by: Leon Romanovsky --- drivers/infiniband/hw/mlx5/qp.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index 6efd770797d121..5839ac0083fa07 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -772,14 +772,13 @@ static int adjust_bfregn(struct mlx5_ib_dev *dev, static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd, struct mlx5_ib_qp *qp, struct ib_udata *udata, - struct ib_qp_init_attr *attr, - u32 **in, - struct mlx5_ib_create_qp_resp *resp, int *inlen, + struct ib_qp_init_attr *attr, u32 **in, int *inlen, struct mlx5_ib_qp_base *base) { struct mlx5_ib_ucontext *context; struct mlx5_ib_create_qp ucmd; struct mlx5_ib_ubuffer *ubuffer = &base->ubuffer; + struct mlx5_ib_create_qp_resp resp = {}; int page_shift = 0; int uar_index = 0; int npages; @@ -861,9 +860,9 @@ static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd, MLX5_SET(qpc, qpc, uar_page, uar_index); if (bfregn != MLX5_IB_INVALID_BFREG) - resp->bfreg_index = adjust_bfregn(dev, &context->bfregi, bfregn); + resp.bfreg_index = adjust_bfregn(dev, &context->bfregi, bfregn); else - resp->bfreg_index = MLX5_IB_INVALID_BFREG; + resp.bfreg_index = MLX5_IB_INVALID_BFREG; qp->bfregn = bfregn; err = mlx5_ib_db_map_user(context, ucmd.db_addr, &qp->db); @@ -872,7 +871,7 @@ static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd, goto err_free; } - err = ib_copy_to_udata(udata, resp, min(udata->outlen, sizeof(*resp))); + err = ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp))); if (err) { mlx5_ib_dbg(dev, "copy failed\n"); goto err_unmap; @@ -1607,7 +1606,6 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, struct mlx5_ib_resources *devr = &dev->devr; int inlen = MLX5_ST_SZ_BYTES(create_qp_in); struct mlx5_core_dev *mdev = dev->mdev; - struct mlx5_ib_create_qp_resp resp; struct mlx5_ib_cq *send_cq; struct mlx5_ib_cq *recv_cq; unsigned long flags; @@ -1763,7 +1761,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, return -EINVAL; } err = create_user_qp(dev, pd, qp, udata, init_attr, &in, - &resp, &inlen, base); + &inlen, base); if (err) mlx5_ib_dbg(dev, "err %d\n", err); } else {