Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-04-20 14:51:47 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-04-20 14:51:47 +0200
commit04606202a1c2fee9217b797a3c9e130dbee4cb02 (patch)
tree4fe457a0dd9e0a32020b19c8933f0b3f7f0a5c23
parent64752bcdd37f5abd797d595752c80d37c108b180 (diff)
rdma/cxgb4: fix some info leaks (bsc#1127371).
-rw-r--r--patches.fixes/0001-rdma-cxgb4-fix-some-info-leaks.patch66
-rw-r--r--series.conf1
2 files changed, 67 insertions, 0 deletions
diff --git a/patches.fixes/0001-rdma-cxgb4-fix-some-info-leaks.patch b/patches.fixes/0001-rdma-cxgb4-fix-some-info-leaks.patch
new file mode 100644
index 0000000000..321170dbe3
--- /dev/null
+++ b/patches.fixes/0001-rdma-cxgb4-fix-some-info-leaks.patch
@@ -0,0 +1,66 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Subject: rdma/cxgb4: fix some info leaks
+Patch-mainline: v4.19-rc1
+Git-commit: 8001b717f09460d9e17457f6bade6699aa14604f
+References: bsc#1127371
+
+In c4iw_create_qp() there are several struct members which potentially
+aren't inintialized like uresp.rq_key. I've fixed this code before in
+in commit ae1fe07f3f42 ("RDMA/cxgb4: Fix stack info leak in
+c4iw_create_qp()") so this time I'm just going to take a big hammer
+approach and memset the whole struct to zero. Hopefully, it will stay
+fixed this time.
+
+In c4iw_create_srq() we don't clear uresp.reserved.
+
+Fixes: 6a0b6174d35a ("rdma/cxgb4: Add support for kernel mode SRQ's")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index c26086c76f0b..dbd99370a0de 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -2088,6 +2088,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
+ goto err_free_sq_db_key;
+ }
+ }
++ memset(&uresp, 0, sizeof(uresp));
+ if (t4_sq_onchip(&qhp->wq.sq)) {
+ ma_sync_key_mm = kmalloc(sizeof(*ma_sync_key_mm),
+ GFP_KERNEL);
+@@ -2096,8 +2097,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
+ goto err_free_rq_db_key;
+ }
+ uresp.flags = C4IW_QPF_ONCHIP;
+- } else
+- uresp.flags = 0;
++ }
+ uresp.qid_mask = rhp->rdev.qpmask;
+ uresp.sqid = qhp->wq.sq.qid;
+ uresp.sq_size = qhp->wq.sq.size;
+@@ -2111,8 +2111,6 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
+ if (ma_sync_key_mm) {
+ uresp.ma_sync_key = ucontext->key;
+ ucontext->key += PAGE_SIZE;
+- } else {
+- uresp.ma_sync_key = 0;
+ }
+ uresp.sq_key = ucontext->key;
+ ucontext->key += PAGE_SIZE;
+@@ -2601,6 +2599,7 @@ struct ib_srq *c4iw_create_srq(struct ib_pd *pd, struct ib_srq_init_attr *attrs,
+ ret = -ENOMEM;
+ goto err_free_srq_key_mm;
+ }
++ memset(&uresp, 0, sizeof(uresp));
+ uresp.flags = srq->flags;
+ uresp.qid_mask = rhp->rdev.qpmask;
+ uresp.srqid = srq->wq.qid;
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 12f7dffbdf..1ad4f7d346 100644
--- a/series.conf
+++ b/series.conf
@@ -18447,6 +18447,7 @@
patches.drivers/IB-mlx4-Use-4K-pages-for-kernel-QP-s-WQE-buffer.patch
patches.fixes/0001-rdma-cxgb4-Remove-a-set-but-not-used-variable.patch
patches.drivers/IB-IPoIB-Set-ah-valid-flag-in-multicast-send-flow.patch
+ patches.fixes/0001-rdma-cxgb4-fix-some-info-leaks.patch
patches.fixes/dax-remove-VM_MIXEDMAP-for-fsdax-and-device-dax.patch
patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
patches.suse/mm-page_alloc-double-zone-s-batchsize.patch