From: Michael J. Ruhl Date: Sun, 9 Apr 2017 17:15:32 +0000 (-0700) Subject: IB/core: If the MGID/MLID pair is not on the list return an error X-Git-Tag: v3.2.92~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=748b9d53f2187cc7baf3a317d85f579de5b5d839;p=thirdparty%2Fkernel%2Fstable.git IB/core: If the MGID/MLID pair is not on the list return an error commit 20c7840a77ddcb2ed2fbd66e8197db2868495751 upstream. A list of MGID/MLID pairs is built when doing a multicast attach. When the multicast detach is called, the list is searched, and regardless of the search outcome, the driver detach is called. If an MGID/MLID pair is not on the list, driver detach should not be called, and an error should be returned. Calling the driver without removing an MGID/MLID pair from the list can leave the core and driver out of sync. Fixes: f4e401562c11 ("IB/uverbs: track multicast group membership for userspace QPs") Reviewed-by: Ira Weiny Reviewed-by: Leon Romanovsky Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 3be21aa77eb6d..7f2254ec7636b 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2440,6 +2440,7 @@ ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file, struct ib_qp *qp; struct ib_uverbs_mcast_entry *mcast; int ret = -EINVAL; + bool found = false; if (copy_from_user(&cmd, buf, sizeof cmd)) return -EFAULT; @@ -2448,10 +2449,6 @@ ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file, if (!qp) return -EINVAL; - ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid); - if (ret) - goto out_put; - obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject); list_for_each_entry(mcast, &obj->mcast_list, list) @@ -2459,9 +2456,17 @@ ssize_t ib_uverbs_detach_mcast(struct ib_uverbs_file *file, !memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) { list_del(&mcast->list); kfree(mcast); + found = true; break; } + if (!found) { + ret = -EINVAL; + goto out_put; + } + + ret = ib_detach_mcast(qp, (union ib_gid *)cmd.gid, cmd.mlid); + out_put: put_qp_write(qp);