Commit 511585a28e5b5fd1cac61e601e42efc4c5dd64b5
Exists in
master
and in
6 other branches
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/qib: Correct sense on freectxts increment and decrement RDMA/cma: Verify private data length IB/mlx4: Fix shutdown crash accessing a non-existent bitmap
Showing 3 changed files Side-by-side Diff
drivers/infiniband/core/cma.c
| ... | ... | @@ -2513,6 +2513,9 @@ |
| 2513 | 2513 | |
| 2514 | 2514 | req.private_data_len = sizeof(struct cma_hdr) + |
| 2515 | 2515 | conn_param->private_data_len; |
| 2516 | + if (req.private_data_len < conn_param->private_data_len) | |
| 2517 | + return -EINVAL; | |
| 2518 | + | |
| 2516 | 2519 | req.private_data = kzalloc(req.private_data_len, GFP_ATOMIC); |
| 2517 | 2520 | if (!req.private_data) |
| 2518 | 2521 | return -ENOMEM; |
| ... | ... | @@ -2562,6 +2565,9 @@ |
| 2562 | 2565 | memset(&req, 0, sizeof req); |
| 2563 | 2566 | offset = cma_user_data_offset(id_priv->id.ps); |
| 2564 | 2567 | req.private_data_len = offset + conn_param->private_data_len; |
| 2568 | + if (req.private_data_len < conn_param->private_data_len) | |
| 2569 | + return -EINVAL; | |
| 2570 | + | |
| 2565 | 2571 | private_data = kzalloc(req.private_data_len, GFP_ATOMIC); |
| 2566 | 2572 | if (!private_data) |
| 2567 | 2573 | return -ENOMEM; |
drivers/infiniband/hw/mlx4/main.c
| ... | ... | @@ -1244,7 +1244,8 @@ |
| 1244 | 1244 | |
| 1245 | 1245 | err_counter: |
| 1246 | 1246 | for (; i; --i) |
| 1247 | - mlx4_counter_free(ibdev->dev, ibdev->counters[i - 1]); | |
| 1247 | + if (ibdev->counters[i - 1] != -1) | |
| 1248 | + mlx4_counter_free(ibdev->dev, ibdev->counters[i - 1]); | |
| 1248 | 1249 | |
| 1249 | 1250 | err_map: |
| 1250 | 1251 | iounmap(ibdev->uar_map); |
| ... | ... | @@ -1275,7 +1276,8 @@ |
| 1275 | 1276 | } |
| 1276 | 1277 | iounmap(ibdev->uar_map); |
| 1277 | 1278 | for (p = 0; p < ibdev->num_ports; ++p) |
| 1278 | - mlx4_counter_free(ibdev->dev, ibdev->counters[p]); | |
| 1279 | + if (ibdev->counters[p] != -1) | |
| 1280 | + mlx4_counter_free(ibdev->dev, ibdev->counters[p]); | |
| 1279 | 1281 | mlx4_foreach_port(p, dev, MLX4_PORT_TYPE_IB) |
| 1280 | 1282 | mlx4_CLOSE_PORT(dev, p); |
| 1281 | 1283 |
drivers/infiniband/hw/qib/qib_file_ops.c
| ... | ... | @@ -1285,7 +1285,7 @@ |
| 1285 | 1285 | strlcpy(rcd->comm, current->comm, sizeof(rcd->comm)); |
| 1286 | 1286 | ctxt_fp(fp) = rcd; |
| 1287 | 1287 | qib_stats.sps_ctxts++; |
| 1288 | - dd->freectxts++; | |
| 1288 | + dd->freectxts--; | |
| 1289 | 1289 | ret = 0; |
| 1290 | 1290 | goto bail; |
| 1291 | 1291 | |
| ... | ... | @@ -1794,7 +1794,7 @@ |
| 1794 | 1794 | if (dd->pageshadow) |
| 1795 | 1795 | unlock_expected_tids(rcd); |
| 1796 | 1796 | qib_stats.sps_ctxts--; |
| 1797 | - dd->freectxts--; | |
| 1797 | + dd->freectxts++; | |
| 1798 | 1798 | } |
| 1799 | 1799 | |
| 1800 | 1800 | mutex_unlock(&qib_mutex); |