From e95c16576ba7267740525d80aa4c105f1159611a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 1 May 2014 19:47:52 -0700 Subject: [PATCH] 3.14-stable patches added patches: ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch --- ...e-roce-l2-address-in-cma-req-handler.patch | 111 ++++++++++++++ ...an-error-on-ib_copy_to_udata-failure.patch | 38 +++++ ...errun-in-sending-diag-packet-routine.patch | 142 ++++++++++++++++++ ...an-error-on-ib_copy_to_udata-failure.patch | 37 +++++ ...y_from_udata-failure-instead-of-null.patch | 47 ++++++ ...ces-in-do_qib_user_sdma_queue_create.patch | 56 +++++++ ...fs-ordering-issue-with-multiple-hcas.patch | 78 ++++++++++ queue-3.14/series | 7 + 8 files changed, 516 insertions(+) create mode 100644 queue-3.14/ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch create mode 100644 queue-3.14/ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch create mode 100644 queue-3.14/ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch create mode 100644 queue-3.14/ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch create mode 100644 queue-3.14/ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch create mode 100644 queue-3.14/ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch create mode 100644 queue-3.14/ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch diff --git a/queue-3.14/ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch b/queue-3.14/ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch new file mode 100644 index 00000000000..a2c543f19fc --- /dev/null +++ b/queue-3.14/ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch @@ -0,0 +1,111 @@ +From b2853fd6c2d0f383dbdf7427e263eb576a633867 Mon Sep 17 00:00:00 2001 +From: Moni Shoua +Date: Thu, 27 Mar 2014 10:52:58 +0200 +Subject: IB/core: Don't resolve passive side RoCE L2 address in CMA REQ handler + +From: Moni Shoua + +commit b2853fd6c2d0f383dbdf7427e263eb576a633867 upstream. + +The code that resolves the passive side source MAC within the rdma_cm +connection request handler was both redundant and buggy, so remove it. + +It was redundant since later, when an RC QP is modified to RTR state, +the resolution will take place in the ib_core module. It was buggy +because this callback also deals with UD SIDR exchange, for which we +incorrectly looked at the REQ member of the CM event and dereferenced +a random value. + +Fixes: dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures") +Signed-off-by: Moni Shoua +Signed-off-by: Or Gerlitz +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 17 ----------------- + drivers/infiniband/core/cma.c | 26 -------------------------- + include/rdma/ib_cm.h | 1 - + 3 files changed, 44 deletions(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -349,23 +349,6 @@ static void cm_init_av_for_response(stru + grh, &av->ah_attr); + } + +-int ib_update_cm_av(struct ib_cm_id *id, const u8 *smac, const u8 *alt_smac) +-{ +- struct cm_id_private *cm_id_priv; +- +- cm_id_priv = container_of(id, struct cm_id_private, id); +- +- if (smac != NULL) +- memcpy(cm_id_priv->av.smac, smac, sizeof(cm_id_priv->av.smac)); +- +- if (alt_smac != NULL) +- memcpy(cm_id_priv->alt_av.smac, alt_smac, +- sizeof(cm_id_priv->alt_av.smac)); +- +- return 0; +-} +-EXPORT_SYMBOL(ib_update_cm_av); +- + static int cm_init_av_by_path(struct ib_sa_path_rec *path, struct cm_av *av) + { + struct cm_device *cm_dev; +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1284,15 +1284,6 @@ static int cma_req_handler(struct ib_cm_ + struct rdma_id_private *listen_id, *conn_id; + struct rdma_cm_event event; + int offset, ret; +- u8 smac[ETH_ALEN]; +- u8 alt_smac[ETH_ALEN]; +- u8 *psmac = smac; +- u8 *palt_smac = alt_smac; +- int is_iboe = ((rdma_node_get_transport(cm_id->device->node_type) == +- RDMA_TRANSPORT_IB) && +- (rdma_port_get_link_layer(cm_id->device, +- ib_event->param.req_rcvd.port) == +- IB_LINK_LAYER_ETHERNET)); + + listen_id = cm_id->context; + if (!cma_check_req_qp_type(&listen_id->id, ib_event)) +@@ -1336,28 +1327,11 @@ static int cma_req_handler(struct ib_cm_ + ret = conn_id->id.event_handler(&conn_id->id, &event); + if (ret) + goto err3; +- +- if (is_iboe) { +- if (ib_event->param.req_rcvd.primary_path != NULL) +- rdma_addr_find_smac_by_sgid( +- &ib_event->param.req_rcvd.primary_path->sgid, +- psmac, NULL); +- else +- psmac = NULL; +- if (ib_event->param.req_rcvd.alternate_path != NULL) +- rdma_addr_find_smac_by_sgid( +- &ib_event->param.req_rcvd.alternate_path->sgid, +- palt_smac, NULL); +- else +- palt_smac = NULL; +- } + /* + * Acquire mutex to prevent user executing rdma_destroy_id() + * while we're accessing the cm_id. + */ + mutex_lock(&lock); +- if (is_iboe) +- ib_update_cm_av(cm_id, psmac, palt_smac); + if (cma_comp(conn_id, RDMA_CM_CONNECT) && + (conn_id->id.qp_type != IB_QPT_UD)) + ib_send_cm_mra(cm_id, CMA_CM_MRA_SETTING, NULL, 0); +--- a/include/rdma/ib_cm.h ++++ b/include/rdma/ib_cm.h +@@ -601,5 +601,4 @@ struct ib_cm_sidr_rep_param { + int ib_send_cm_sidr_rep(struct ib_cm_id *cm_id, + struct ib_cm_sidr_rep_param *param); + +-int ib_update_cm_av(struct ib_cm_id *id, const u8 *smac, const u8 *alt_smac); + #endif /* IB_CM_H */ diff --git a/queue-3.14/ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch b/queue-3.14/ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch new file mode 100644 index 00000000000..f94c9991514 --- /dev/null +++ b/queue-3.14/ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch @@ -0,0 +1,38 @@ +From 5bdb0f02add5994b0bc17494f4726925ca5d6ba1 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 10 Mar 2014 23:06:25 +0100 +Subject: IB/ehca: Returns an error on ib_copy_to_udata() failure + +From: Yann Droneaud + +commit 5bdb0f02add5994b0bc17494f4726925ca5d6ba1 upstream. + +In case of error when writing to userspace, function ehca_create_cq() +does not set an error code before following its error path. + +This patch sets the error code to -EFAULT when ib_copy_to_udata() +fails. + +This was caught when using spatch (aka. coccinelle) +to rewrite call to ib_copy_{from,to}_udata(). + +Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci +Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com +Signed-off-by: Yann Droneaud +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ehca/ehca_cq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/ehca/ehca_cq.c ++++ b/drivers/infiniband/hw/ehca/ehca_cq.c +@@ -283,6 +283,7 @@ struct ib_cq *ehca_create_cq(struct ib_d + (my_cq->galpas.user.fw_handle & (PAGE_SIZE - 1)); + if (ib_copy_to_udata(udata, &resp, sizeof(resp))) { + ehca_err(device, "Copy to udata failed."); ++ cq = ERR_PTR(-EFAULT); + goto create_cq_exit4; + } + } diff --git a/queue-3.14/ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch b/queue-3.14/ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch new file mode 100644 index 00000000000..3acc9210b76 --- /dev/null +++ b/queue-3.14/ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch @@ -0,0 +1,142 @@ +From a2cb0eb8a64adb29a99fd864013de957028f36ae Mon Sep 17 00:00:00 2001 +From: Dennis Dalessandro +Date: Thu, 20 Feb 2014 11:02:53 -0500 +Subject: IB/ipath: Fix potential buffer overrun in sending diag packet routine + +From: Dennis Dalessandro + +commit a2cb0eb8a64adb29a99fd864013de957028f36ae upstream. + +Guard against a potential buffer overrun. The size to read from the +user is passed in, and due to the padding that needs to be taken into +account, as well as the place holder for the ICRC it is possible to +overflow the 32bit value which would cause more data to be copied from +user space than is allocated in the buffer. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Reviewed-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ipath/ipath_diag.c | 66 +++++++++++-------------------- + 1 file changed, 25 insertions(+), 41 deletions(-) + +--- a/drivers/infiniband/hw/ipath/ipath_diag.c ++++ b/drivers/infiniband/hw/ipath/ipath_diag.c +@@ -326,7 +326,7 @@ static ssize_t ipath_diagpkt_write(struc + size_t count, loff_t *off) + { + u32 __iomem *piobuf; +- u32 plen, clen, pbufn; ++ u32 plen, pbufn, maxlen_reserve; + struct ipath_diag_pkt odp; + struct ipath_diag_xpkt dp; + u32 *tmpbuf = NULL; +@@ -335,51 +335,29 @@ static ssize_t ipath_diagpkt_write(struc + u64 val; + u32 l_state, lt_state; /* LinkState, LinkTrainingState */ + +- if (count < sizeof(odp)) { +- ret = -EINVAL; +- goto bail; +- } + + if (count == sizeof(dp)) { + if (copy_from_user(&dp, data, sizeof(dp))) { + ret = -EFAULT; + goto bail; + } +- } else if (copy_from_user(&odp, data, sizeof(odp))) { +- ret = -EFAULT; ++ } else if (count == sizeof(odp)) { ++ if (copy_from_user(&odp, data, sizeof(odp))) { ++ ret = -EFAULT; ++ goto bail; ++ } ++ } else { ++ ret = -EINVAL; + goto bail; + } + +- /* +- * Due to padding/alignment issues (lessened with new struct) +- * the old and new structs are the same length. We need to +- * disambiguate them, which we can do because odp.len has never +- * been less than the total of LRH+BTH+DETH so far, while +- * dp.unit (same offset) unit is unlikely to get that high. +- * Similarly, dp.data, the pointer to user at the same offset +- * as odp.unit, is almost certainly at least one (512byte)page +- * "above" NULL. The if-block below can be omitted if compatibility +- * between a new driver and older diagnostic code is unimportant. +- * compatibility the other direction (new diags, old driver) is +- * handled in the diagnostic code, with a warning. +- */ +- if (dp.unit >= 20 && dp.data < 512) { +- /* very probable version mismatch. Fix it up */ +- memcpy(&odp, &dp, sizeof(odp)); +- /* We got a legacy dp, copy elements to dp */ +- dp.unit = odp.unit; +- dp.data = odp.data; +- dp.len = odp.len; +- dp.pbc_wd = 0; /* Indicate we need to compute PBC wd */ +- } +- + /* send count must be an exact number of dwords */ + if (dp.len & 3) { + ret = -EINVAL; + goto bail; + } + +- clen = dp.len >> 2; ++ plen = dp.len >> 2; + + dd = ipath_lookup(dp.unit); + if (!dd || !(dd->ipath_flags & IPATH_PRESENT) || +@@ -422,16 +400,22 @@ static ssize_t ipath_diagpkt_write(struc + goto bail; + } + +- /* need total length before first word written */ +- /* +1 word is for the qword padding */ +- plen = sizeof(u32) + dp.len; +- +- if ((plen + 4) > dd->ipath_ibmaxlen) { ++ /* ++ * need total length before first word written, plus 2 Dwords. One Dword ++ * is for padding so we get the full user data when not aligned on ++ * a word boundary. The other Dword is to make sure we have room for the ++ * ICRC which gets tacked on later. ++ */ ++ maxlen_reserve = 2 * sizeof(u32); ++ if (dp.len > dd->ipath_ibmaxlen - maxlen_reserve) { + ipath_dbg("Pkt len 0x%x > ibmaxlen %x\n", +- plen - 4, dd->ipath_ibmaxlen); ++ dp.len, dd->ipath_ibmaxlen); + ret = -EINVAL; +- goto bail; /* before writing pbc */ ++ goto bail; + } ++ ++ plen = sizeof(u32) + dp.len; ++ + tmpbuf = vmalloc(plen); + if (!tmpbuf) { + dev_info(&dd->pcidev->dev, "Unable to allocate tmp buffer, " +@@ -473,11 +457,11 @@ static ssize_t ipath_diagpkt_write(struc + */ + if (dd->ipath_flags & IPATH_PIO_FLUSH_WC) { + ipath_flush_wc(); +- __iowrite32_copy(piobuf + 2, tmpbuf, clen - 1); ++ __iowrite32_copy(piobuf + 2, tmpbuf, plen - 1); + ipath_flush_wc(); +- __raw_writel(tmpbuf[clen - 1], piobuf + clen + 1); ++ __raw_writel(tmpbuf[plen - 1], piobuf + plen + 1); + } else +- __iowrite32_copy(piobuf + 2, tmpbuf, clen); ++ __iowrite32_copy(piobuf + 2, tmpbuf, plen); + + ipath_flush_wc(); + diff --git a/queue-3.14/ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch b/queue-3.14/ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch new file mode 100644 index 00000000000..3675194a7cb --- /dev/null +++ b/queue-3.14/ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch @@ -0,0 +1,37 @@ +From 08e74c4b00c30c232d535ff368554959403d0432 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 10 Mar 2014 23:06:26 +0100 +Subject: IB/mthca: Return an error on ib_copy_to_udata() failure + +From: Yann Droneaud + +commit 08e74c4b00c30c232d535ff368554959403d0432 upstream. + +In case of error when writing to userspace, the function mthca_create_cq() +does not set an error code before following its error path. + +This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. + +This was caught when using spatch (aka. coccinelle) +to rewrite call to ib_copy_{from,to}_udata(). + +Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci +Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com +Signed-off-by: Yann Droneaud +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mthca/mthca_provider.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -695,6 +695,7 @@ static struct ib_cq *mthca_create_cq(str + + if (context && ib_copy_to_udata(udata, &cq->cqn, sizeof (__u32))) { + mthca_free_cq(to_mdev(ibdev), cq); ++ err = -EFAULT; + goto err_free; + } + diff --git a/queue-3.14/ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch b/queue-3.14/ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch new file mode 100644 index 00000000000..506d3d1b0c6 --- /dev/null +++ b/queue-3.14/ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch @@ -0,0 +1,47 @@ +From 9d194d1025f463392feafa26ff8c2d8247f71be1 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 10 Mar 2014 23:06:27 +0100 +Subject: IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL + +From: Yann Droneaud + +commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream. + +In case of error while accessing to userspace memory, function +nes_create_qp() returns NULL instead of an error code wrapped through +ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it +check for error with IS_ERR(). + +As page 0 is likely not mapped, it is going to trigger an Oops when +the kernel will try to dereference NULL pointer to access to struct +ib_qp's fields. + +In some rare cases, page 0 could be mapped by userspace, which could +turn this bug to a vulnerability that could be exploited: the function +pointers in struct ib_device will be under userspace total control. + +This was caught when using spatch (aka. coccinelle) +to rewrite calls to ib_copy_{from,to}_udata(). + +Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null +Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci +Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com +Signed-off-by: Yann Droneaud +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/nes/nes_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/nes/nes_verbs.c ++++ b/drivers/infiniband/hw/nes/nes_verbs.c +@@ -1186,7 +1186,7 @@ static struct ib_qp *nes_create_qp(struc + nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num); + kfree(nesqp->allocated_buffer); + nes_debug(NES_DBG_QP, "ib_copy_from_udata() Failed \n"); +- return NULL; ++ return ERR_PTR(-EFAULT); + } + if (req.user_wqe_buffers) { + virt_wqs = 1; diff --git a/queue-3.14/ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch b/queue-3.14/ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch new file mode 100644 index 00000000000..092c036b171 --- /dev/null +++ b/queue-3.14/ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch @@ -0,0 +1,56 @@ +From 37a967651caf99dd267017023737bd442f5acb3d Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 10 Mar 2014 23:06:28 +0100 +Subject: IB/qib: add missing braces in do_qib_user_sdma_queue_create() + +From: Yann Droneaud + +commit 37a967651caf99dd267017023737bd442f5acb3d upstream. + +Commit c804f07248895ff9c moved qib_assign_ctxt() to +do_qib_user_sdma_queue_create() but dropped the braces +around the statements. + +This was spotted by coccicheck (coccinelle/spatch): + +$ make C=2 CHECK=scripts/coccicheck drivers/infiniband/hw/qib/ + + CHECK drivers/infiniband/hw/qib/qib_file_ops.c +drivers/infiniband/hw/qib/qib_file_ops.c:1583:2-23: code aligned with following code on line 1587 + +This patch adds braces back. + +Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com +Cc: Mike Marciniszyn +Cc: infinipath@intel.com +Cc: Julia Lawall +Cc: cocci@systeme.lip6.fr +Signed-off-by: Yann Droneaud +Tested-by: Mike Marciniszyn +Acked-by: Mike Marciniszyn +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_file_ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qib/qib_file_ops.c ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c +@@ -1578,7 +1578,7 @@ static int do_qib_user_sdma_queue_create + struct qib_ctxtdata *rcd = fd->rcd; + struct qib_devdata *dd = rcd->dd; + +- if (dd->flags & QIB_HAS_SEND_DMA) ++ if (dd->flags & QIB_HAS_SEND_DMA) { + + fd->pq = qib_user_sdma_queue_create(&dd->pcidev->dev, + dd->unit, +@@ -1586,6 +1586,7 @@ static int do_qib_user_sdma_queue_create + fd->subctxt); + if (!fd->pq) + return -ENOMEM; ++ } + + return 0; + } diff --git a/queue-3.14/ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch b/queue-3.14/ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch new file mode 100644 index 00000000000..ad176c86380 --- /dev/null +++ b/queue-3.14/ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch @@ -0,0 +1,78 @@ +From f8b6c47a44c063062317646683a73371c24c69ee Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 7 Mar 2014 08:32:31 -0500 +Subject: IB/qib: Fix debugfs ordering issue with multiple HCAs + +From: Mike Marciniszyn + +commit f8b6c47a44c063062317646683a73371c24c69ee upstream. + +The debugfs init code was incorrectly called before the idr mechanism +is used to get the unit number, so the dd->unit hasn't been +initialized. This caused the unit relative directory creation to fail +after the first. + +This patch moves the init for the debugfs stuff until after all of the +failures and after the unit number has been determined. + +A bug in unwind code in qib_alloc_devdata() is also fixed. + +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_init.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_init.c ++++ b/drivers/infiniband/hw/qib/qib_init.c +@@ -1097,14 +1097,10 @@ struct qib_devdata *qib_alloc_devdata(st + int ret; + + dd = (struct qib_devdata *) ib_alloc_device(sizeof(*dd) + extra); +- if (!dd) { +- dd = ERR_PTR(-ENOMEM); +- goto bail; +- } ++ if (!dd) ++ return ERR_PTR(-ENOMEM); + +-#ifdef CONFIG_DEBUG_FS +- qib_dbg_ibdev_init(&dd->verbs_dev); +-#endif ++ INIT_LIST_HEAD(&dd->list); + + idr_preload(GFP_KERNEL); + spin_lock_irqsave(&qib_devs_lock, flags); +@@ -1121,11 +1117,6 @@ struct qib_devdata *qib_alloc_devdata(st + if (ret < 0) { + qib_early_err(&pdev->dev, + "Could not allocate unit ID: error %d\n", -ret); +-#ifdef CONFIG_DEBUG_FS +- qib_dbg_ibdev_exit(&dd->verbs_dev); +-#endif +- ib_dealloc_device(&dd->verbs_dev.ibdev); +- dd = ERR_PTR(ret); + goto bail; + } + +@@ -1139,9 +1130,15 @@ struct qib_devdata *qib_alloc_devdata(st + qib_early_err(&pdev->dev, + "Could not alloc cpulist info, cpu affinity might be wrong\n"); + } +- +-bail: ++#ifdef CONFIG_DEBUG_FS ++ qib_dbg_ibdev_init(&dd->verbs_dev); ++#endif + return dd; ++bail: ++ if (!list_empty(&dd->list)) ++ list_del_init(&dd->list); ++ ib_dealloc_device(&dd->verbs_dev.ibdev); ++ return ERR_PTR(ret);; + } + + /* diff --git a/queue-3.14/series b/queue-3.14/series index a827e8093d8..a73c96cfefc 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -78,3 +78,10 @@ nfsd4-fix-memory-leak-in-nfsd4_encode_fattr.patch nfsd4-fix-setclientid-encode-size.patch nfsd-traverse-unconfirmed-client-through-hash-table.patch nfsd-set-timeparms.to_maxval-in-setup_callback_client.patch +ib-ipath-fix-potential-buffer-overrun-in-sending-diag-packet-routine.patch +ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch +ib-mthca-return-an-error-on-ib_copy_to_udata-failure.patch +ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch +ib-qib-fix-debugfs-ordering-issue-with-multiple-hcas.patch +ib-qib-add-missing-braces-in-do_qib_user_sdma_queue_create.patch +ib-core-don-t-resolve-passive-side-roce-l2-address-in-cma-req-handler.patch -- 2.47.3