diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2020-10-15 18:54:45 +0200 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2020-10-15 18:54:45 +0200 |
| commit | 0c124aa5c48dc5d42962998e4489f286aceda2b7 (patch) | |
| tree | 71b0f3f664252ab57d21661c989a399fc8889193 | |
| parent | bpfilter: Fix build error with CONFIG_BPFILTER_UMH (diff) | |
| parent | net/smc: fix invalid return code in smcd_new_buf_create() (diff) | |
| download | linux-0c124aa5c48dc5d42962998e4489f286aceda2b7.tar.xz linux-0c124aa5c48dc5d42962998e4489f286aceda2b7.zip | |
Merge branch 'net-smc-fixes-2020-10-14'
Karsten Graul says:
====================
net/smc: fixes 2020-10-14
The first patch fixes a possible use-after-free of delayed llc events.
Patch 2 corrects the number of DMB buffer sizes. And patch 3 ensures
a correctly formatted return code when smc_ism_register_dmb() fails to
create a new DMB.
====================
Link: https://lore.kernel.org/r/20201014174329.35791-1-kgraul@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | net/smc/smc_core.c | 5 | ||||
| -rw-r--r-- | net/smc/smc_llc.c | 13 |
2 files changed, 8 insertions, 10 deletions
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index a406627b1d55..59cc99fec2a2 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -1597,7 +1597,7 @@ out: return rc; } -#define SMCD_DMBE_SIZES 7 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */ +#define SMCD_DMBE_SIZES 6 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */ static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr, bool is_dmb, int bufsize) @@ -1616,7 +1616,8 @@ static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr, rc = smc_ism_register_dmb(lgr, bufsize, buf_desc); if (rc) { kfree(buf_desc); - return (rc == -ENOMEM) ? ERR_PTR(-EAGAIN) : ERR_PTR(rc); + return (rc == -ENOMEM) ? ERR_PTR(-EAGAIN) : + ERR_PTR(-EIO); } buf_desc->pages = virt_to_page(buf_desc->cpu_addr); /* CDC header stored in buf. So, pretend it was smaller */ diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c index f5f6487bb847..5e86926c83a1 100644 --- a/net/smc/smc_llc.c +++ b/net/smc/smc_llc.c @@ -233,8 +233,6 @@ static bool smc_llc_flow_start(struct smc_llc_flow *flow, default: flow->type = SMC_LLC_FLOW_NONE; } - if (qentry == lgr->delayed_event) - lgr->delayed_event = NULL; smc_llc_flow_qentry_set(flow, qentry); spin_unlock_bh(&lgr->llc_flow_lock); return true; @@ -1603,13 +1601,12 @@ static void smc_llc_event_work(struct work_struct *work) struct smc_llc_qentry *qentry; if (!lgr->llc_flow_lcl.type && lgr->delayed_event) { - if (smc_link_usable(lgr->delayed_event->link)) { - smc_llc_event_handler(lgr->delayed_event); - } else { - qentry = lgr->delayed_event; - lgr->delayed_event = NULL; + qentry = lgr->delayed_event; + lgr->delayed_event = NULL; + if (smc_link_usable(qentry->link)) + smc_llc_event_handler(qentry); + else kfree(qentry); - } } again: |