svn commit: r337079 - stable/11/sys/ofed/drivers/infiniband/core

Hans Petter Selasky hselasky at FreeBSD.org
Thu Aug 2 08:17:10 UTC 2018 

Author: hselasky
Date: Thu Aug  2 08:17:09 2018
New Revision: 337079
URL: https://svnweb.freebsd.org/changeset/base/337079

Log:
  MFC r336373:
  Ensure that CM_ID exists prior to access it in ibcore.
  
  Prior to access UCMA commands, the context should be initialized
  and connected to CM_ID with ucma_create_id(). In case user skips
  this step, he can provide non-valid ctx without CM_ID and cause
  to multiple NULL dereferences.
  
  Also there are situations where the create_id can be raced with
  other user access, ensure that the context is only shared to
  other threads once it is fully initialized to avoid the races.
  
  Linux commit:
  e8980d67d6017c8eee8f9c35f782c4bd68e004c9
  
  Sponsored by:		Mellanox Technologies

Modified:
  stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c
==============================================================================
--- stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c	Thu Aug  2 08:15:05 2018	(r337078)
+++ stable/11/sys/ofed/drivers/infiniband/core/ib_ucma.c	Thu Aug  2 08:17:09 2018	(r337079)
@@ -124,7 +124,7 @@ static inline struct ucma_context *_ucma_find_context(
 	ctx = idr_find(&ctx_idr, id);
 	if (!ctx)
 		ctx = ERR_PTR(-ENOENT);
-	else if (ctx->file != file)
+	else if (ctx->file != file || !ctx->cm_id)
 		ctx = ERR_PTR(-EINVAL);
 	return ctx;
 }
@@ -446,6 +446,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
 	struct rdma_ucm_create_id cmd;
 	struct rdma_ucm_create_id_resp resp;
 	struct ucma_context *ctx;
+	struct rdma_cm_id *cm_id;
 	enum ib_qp_type qp_type;
 	int ret;
 
@@ -466,10 +467,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
 		return -ENOMEM;
 
 	ctx->uid = cmd.uid;
-	ctx->cm_id = rdma_create_id(TD_TO_VNET(curthread),
-				    ucma_event_handler, ctx, cmd.ps, qp_type);
-	if (IS_ERR(ctx->cm_id)) {
-		ret = PTR_ERR(ctx->cm_id);
+	cm_id = rdma_create_id(TD_TO_VNET(curthread),
+			       ucma_event_handler, ctx, cmd.ps, qp_type);
+	if (IS_ERR(cm_id)) {
+		ret = PTR_ERR(cm_id);
 		goto err1;
 	}
 
@@ -479,10 +480,12 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
 		ret = -EFAULT;
 		goto err2;
 	}
+
+	ctx->cm_id = cm_id;
 	return 0;
 
 err2:
-	rdma_destroy_id(ctx->cm_id);
+	rdma_destroy_id(cm_id);
 err1:
 	mutex_lock(&mut);
 	idr_remove(&ctx_idr, ctx->id);

More information about the svn-src-all mailing list