TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Browse Source 
Pull rdma fixes from Jason Gunthorpe:
 "Four small fixes for crashes:

   - Double free in rxe

   - UAF in irdma from early freeing the rf

   - Off by one undoing the IRQ allocations during error unwind in irdma

   - Another race with device rename and uevent generation. uevents
     accesses the struct device name and UAF when it is changed"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
  ice, irdma: fix an off by one in error handling code
  irdma: free iwdev->rf after removing MSI-X
  RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
This commit is contained in:
Linus Torvalds
2025-05-15 12:26:09 -07:00
parent f1f2797f8a d0706bfd3e
commit 4d0be1aa26
4 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/infiniband/core/device.c
+4 -2
View File
@@ -1352,6 +1352,9 @@ static void ib_device_notify_register(struct ib_device *device)
down_read(&devices_rwsem);
/* Mark for userspace that device is ready */
kobject_uevent(&device->dev.kobj, KOBJ_ADD);
ret = rdma_nl_notify_event(device, 0, RDMA_REGISTER_EVENT);
if (ret)
goto out;
@@ -1468,10 +1471,9 @@ int ib_register_device(struct ib_device *device, const char *name,
return ret;
}
dev_set_uevent_suppress(&device->dev, false);
/* Mark for userspace that device is ready */
kobject_uevent(&device->dev.kobj, KOBJ_ADD);
ib_device_notify_register(device);
ib_device_put(device);
return 0;
drivers/infiniband/hw/irdma/main.c
+3 -1
View File
@@ -221,7 +221,7 @@ static int irdma_init_interrupts(struct irdma_pci_f *rf, struct ice_pf *pf)
break;
if (i < IRDMA_MIN_MSIX) {
for (; i > 0; i--)
while (--i >= 0)
ice_free_rdma_qvector(pf, &rf->msix_entries[i]);
kfree(rf->msix_entries);
@@ -255,6 +255,8 @@ static void irdma_remove(struct auxiliary_device *aux_dev)
ice_rdma_update_vsi_filter(pf, iwdev->vsi_num, false);
irdma_deinit_interrupts(iwdev->rf, pf);
kfree(iwdev->rf);
pr_debug("INIT: Gen2 PF[%d] device remove success\n", PCI_FUNC(pf->pdev->devfn));
}
drivers/infiniband/hw/irdma/verbs.c
-1
View File
@@ -4871,5 +4871,4 @@ void irdma_ib_dealloc_device(struct ib_device *ibdev)
irdma_rt_deinit_hw(iwdev);
irdma_ctrl_deinit_hw(iwdev->rf);
kfree(iwdev->rf);
}
drivers/infiniband/sw/rxe/rxe_cq.c
+1 -4
View File
@@ -56,11 +56,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe,
err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata,
cq->queue->buf, cq->queue->buf_size, &cq->queue->ip);
if (err) {
vfree(cq->queue->buf);
kfree(cq->queue);
if (err)
return err;
}
cq->is_user = uresp;