--- /dev/null
+From 940efcc8889f0d15567eb07fc9fd69b06e366aa5 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Sun, 24 Jun 2018 11:23:42 +0300
+Subject: RDMA/uverbs: Protect from attempts to create flows on unsupported QP
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 940efcc8889f0d15567eb07fc9fd69b06e366aa5 upstream.
+
+Flows can be created on UD and RAW_PACKET QP types. Attempts to provide
+other QP types as an input causes to various unpredictable failures.
+
+The reason is that in order to support all various types (e.g. XRC), we
+are supposed to use real_qp handle and not qp handle and expect to
+driver/FW to fail such (XRC) flows. The simpler and safer variant is to
+ban all QP types except UD and RAW_PACKET, instead of relying on
+driver/FW.
+
+Cc: <stable@vger.kernel.org> # 3.11
+Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -3478,6 +3478,11 @@ int ib_uverbs_ex_create_flow(struct ib_u
+ goto err_uobj;
+ }
+
++ if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) {
++ err = -EINVAL;
++ goto err_put;
++ }
++
+ flow_attr = kzalloc(sizeof(*flow_attr) + cmd.flow_attr.num_of_specs *
+ sizeof(union ib_flow_spec), GFP_KERNEL);
+ if (!flow_attr) {
i40e-free-the-skb-after-clearing-the-bitlock.patch
tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch
dma-iommu-fix-compilation-when-config_iommu_dma.patch
-tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch
net-phy-phylink-release-link-gpio.patch
media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch
libata-fix-command-retry-decision.patch
ext4-fix-check-to-prevent-initializing-reserved-inodes.patch
gpio-of-handle-fixed-regulator-flags-properly.patch
gpio-uniphier-set-legitimate-irq-trigger-type-in-.to_irq-hook.patch
+rdma-uverbs-protect-from-attempts-to-create-flows-on-unsupported-qp.patch
+++ /dev/null
-From foo@baz Sat Jul 28 10:14:30 CEST 2018
-From: Sudeep Holla <sudeep.holla@arm.com>
-Date: Wed, 9 May 2018 17:02:08 +0100
-Subject: tick: Prefer a lower rating device only if it's CPU local device
-
-From: Sudeep Holla <sudeep.holla@arm.com>
-
-[ Upstream commit 1332a90558013ae4242e3dd7934bdcdeafb06c0d ]
-
-Checking the equality of cpumask for both new and old tick device doesn't
-ensure that it's CPU local device. This will cause issue if a low rating
-clockevent tick device is registered first followed by the registration
-of higher rating clockevent tick device.
-
-In such case, clockevents_released list will never get emptied as both
-the devices get selected as preferred one and we will loop forever in
-clockevents_notify_released.
-
-Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Frederic Weisbecker <fweisbec@gmail.com>
-Link: https://lkml.kernel.org/r/1525881728-4858-1-git-send-email-sudeep.holla@arm.com
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/time/tick-common.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/kernel/time/tick-common.c
-+++ b/kernel/time/tick-common.c
-@@ -277,7 +277,8 @@ static bool tick_check_preferred(struct
- */
- return !curdev ||
- newdev->rating > curdev->rating ||
-- !cpumask_equal(curdev->cpumask, newdev->cpumask);
-+ (!cpumask_equal(curdev->cpumask, newdev->cpumask) &&
-+ !tick_check_percpu(curdev, newdev, smp_processor_id()));
- }
-
- /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
