4.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)
diff --git a/queue-4.14/rdma-vmw_pvrdma-fix-usage-of-user-response-structures-in-abi-file.patch b/queue-4.14/rdma-vmw_pvrdma-fix-usage-of-user-response-structures-in-abi-file.patch

new file mode 100644 (file)

index 0000000..82423b6
--- /dev/null
+++ b/queue-4.14/rdma-vmw_pvrdma-fix-usage-of-user-response-structures-in-abi-file.patch
@@ -0,0 +1,77 @@
+From 1f5a6c47aabc4606f91ad2e6ef71a1ff1924101c Mon Sep 17 00:00:00 2001
+From: Adit Ranadive <aditr@vmware.com>
+Date: Thu, 15 Feb 2018 12:36:46 -0800
+Subject: RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file
+
+From: Adit Ranadive <aditr@vmware.com>
+
+commit 1f5a6c47aabc4606f91ad2e6ef71a1ff1924101c upstream.
+
+This ensures that we return the right structures back to userspace.
+Otherwise, it looks like the reserved fields in the response structures
+in userspace might have uninitialized data in them.
+
+Fixes: 8b10ba783c9d ("RDMA/vmw_pvrdma: Add shared receive queue support")
+Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
+Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
+Reviewed-by: Bryan Tan <bryantan@vmware.com>
+Reviewed-by: Aditya Sarwade <asarwade@vmware.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: Adit Ranadive <aditr@vmware.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c    |    4 +++-
+ drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c |    4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c
++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c
+@@ -114,6 +114,7 @@ struct ib_cq *pvrdma_create_cq(struct ib
+       union pvrdma_cmd_resp rsp;
+       struct pvrdma_cmd_create_cq *cmd = &req.create_cq;
+       struct pvrdma_cmd_create_cq_resp *resp = &rsp.create_cq_resp;
++      struct pvrdma_create_cq_resp cq_resp = {0};
+       struct pvrdma_create_cq ucmd;
+ 
+       BUILD_BUG_ON(sizeof(struct pvrdma_cqe) != 64);
+@@ -198,6 +199,7 @@ struct ib_cq *pvrdma_create_cq(struct ib
+ 
+       cq->ibcq.cqe = resp->cqe;
+       cq->cq_handle = resp->cq_handle;
++      cq_resp.cqn = resp->cq_handle;
+       spin_lock_irqsave(&dev->cq_tbl_lock, flags);
+       dev->cq_tbl[cq->cq_handle % dev->dsr->caps.max_cq] = cq;
+       spin_unlock_irqrestore(&dev->cq_tbl_lock, flags);
+@@ -206,7 +208,7 @@ struct ib_cq *pvrdma_create_cq(struct ib
+               cq->uar = &(to_vucontext(context)->uar);
+ 
+               /* Copy udata back. */
+-              if (ib_copy_to_udata(udata, &cq->cq_handle, sizeof(__u32))) {
++              if (ib_copy_to_udata(udata, &cq_resp, sizeof(cq_resp))) {
+                       dev_warn(&dev->pdev->dev,
+                                "failed to copy back udata\n");
+                       pvrdma_destroy_cq(&cq->ibcq);
+--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+@@ -444,6 +444,7 @@ struct ib_pd *pvrdma_alloc_pd(struct ib_
+       union pvrdma_cmd_resp rsp;
+       struct pvrdma_cmd_create_pd *cmd = &req.create_pd;
+       struct pvrdma_cmd_create_pd_resp *resp = &rsp.create_pd_resp;
++      struct pvrdma_alloc_pd_resp pd_resp = {0};
+       int ret;
+       void *ptr;
+ 
+@@ -472,9 +473,10 @@ struct ib_pd *pvrdma_alloc_pd(struct ib_
+       pd->privileged = !context;
+       pd->pd_handle = resp->pd_handle;
+       pd->pdn = resp->pd_handle;
++      pd_resp.pdn = resp->pd_handle;
+ 
+       if (context) {
+-              if (ib_copy_to_udata(udata, &pd->pdn, sizeof(__u32))) {
++              if (ib_copy_to_udata(udata, &pd_resp, sizeof(pd_resp))) {
+                       dev_warn(&dev->pdev->dev,
+                                "failed to copy back protection domain\n");
+                       pvrdma_dealloc_pd(&pd->ibpd);
diff --git a/queue-4.14/series b/queue-4.14/series

index 0685d509399b91516e25caece4d3b540c5d5e238..128ed93e5963b09f5868a13c15f1b6fbda7fb11f 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -74,3 +74,4 @@ clk-migrate-the-count-of-orphaned-clocks-at-init.patch
  rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch
  rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch
  kbuild-fix-linker-feature-test-macros-when-cross-compiling-with-clang.patch
+rdma-vmw_pvrdma-fix-usage-of-user-response-structures-in-abi-file.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 22 Mar 2018 21:21:15 +0000 (22:21 +0100)
queue-4.14/rdma-vmw_pvrdma-fix-usage-of-user-response-structures-in-abi-file.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/series		patch \| blob \| blame \| history