Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Aug 2018 08:18:12 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r337080 - stable/11/sys/ofed/drivers/infiniband/core
Message-ID:  <201808020818.w728ICrT039679@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: hselasky
Date: Thu Aug  2 08:18:11 2018
New Revision: 337080
URL: https://svnweb.freebsd.org/changeset/base/337080

Log:
  MFC r336374:
  Avoid that ib_drain_qp() triggers an out-of-bounds stack access in ibcore.
  
  Linux commit:
  a1ae7d0345edd593d6725d3218434d903a0af95d
  
  Sponsored by:		Mellanox Technologies

Modified:
  stable/11/sys/ofed/drivers/infiniband/core/ib_verbs.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/ofed/drivers/infiniband/core/ib_verbs.c
==============================================================================
--- stable/11/sys/ofed/drivers/infiniband/core/ib_verbs.c	Thu Aug  2 08:17:09 2018	(r337079)
+++ stable/11/sys/ofed/drivers/infiniband/core/ib_verbs.c	Thu Aug  2 08:18:11 2018	(r337080)
@@ -1940,7 +1940,13 @@ static void __ib_drain_sq(struct ib_qp *qp)
 {
 	struct ib_qp_attr attr = { .qp_state = IB_QPS_ERR };
 	struct ib_drain_cqe sdrain;
-	struct ib_send_wr swr = {}, *bad_swr;
+	struct ib_send_wr *bad_swr;
+	struct ib_rdma_wr swr = {
+		.wr = {
+			.opcode	= IB_WR_RDMA_WRITE,
+			.wr_cqe	= &sdrain.cqe,
+		},
+	};
 	int ret;
 
 	if (qp->send_cq->poll_ctx == IB_POLL_DIRECT) {
@@ -1949,7 +1955,6 @@ static void __ib_drain_sq(struct ib_qp *qp)
 		return;
 	}
 
-	swr.wr_cqe = &sdrain.cqe;
 	sdrain.cqe.done = ib_drain_qp_done;
 	init_completion(&sdrain.done);
 
@@ -1959,7 +1964,7 @@ static void __ib_drain_sq(struct ib_qp *qp)
 		return;
 	}
 
-	ret = ib_post_send(qp, &swr, &bad_swr);
+	ret = ib_post_send(qp, &swr.wr, &bad_swr);
 	if (ret) {
 		WARN_ONCE(ret, "failed to drain send queue: %d\n", ret);
 		return;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808020818.w728ICrT039679>