Commit 5f6eff20 authored by Junxian Huang's avatar Junxian Huang Committed by Ge Hu
Browse files

RDMA/hns: Fix UAF in clear bond printing 

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAH10J



----------------------------------------------------------------------

bond_grp is freed after hns_roce_cleanup_bond(). Move the clear bond
printing into hns_roce_cleanup_bond() to avoid UAF. Plus, the return
value of hns_roce_cleanup_bond() is removed since it's not being used
any more.

Fixes: 2004b3f9 ("RDMA/hns: Support RoCE bonding")

Signed-off-by: default avatarJunxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: default avatarXinghai Cen <cenxinghai@h-partners.com>
parent 752ec1d3

drivers/infiniband/hw/hns/hns_roce_bond.c

+5 −7
Original line number Diff line number Diff line
@@ -257,10 +257,7 @@ static void hns_roce_clear_bond(struct hns_roce_bond_group *bond_grp) 
	}



out:

	ret = hns_roce_cleanup_bond(bond_grp);

	if (!ret)

		ibdev_info(&bond_grp->main_hr_dev->ib_dev,

			   "RoCE clear bond finished!\n");

	hns_roce_cleanup_bond(bond_grp);

}



static void hns_roce_slave_changestate(struct hns_roce_bond_group *bond_grp)
@@ -731,7 +728,7 @@ static void hns_roce_detach_bond_grp(struct hns_roce_bond_group *bond_grp) 
	memset(bond_grp->bond_func_info, 0, sizeof(bond_grp->bond_func_info));

}



int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp)

void hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp)

{

	int ret;
@@ -739,11 +736,12 @@ int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp) 
	      hns_roce_cmd_bond(bond_grp, HNS_ROCE_CLEAR_BOND) : -EIO;

	if (ret)

		BOND_ERR_LOG("failed to clear RoCE bond, ret = %d.\n", ret);

	else

		ibdev_info(&bond_grp->main_hr_dev->ib_dev,

			   "RoCE clear bond finished!\n");



	hns_roce_detach_bond_grp(bond_grp);

	complete(&bond_grp->bond_work_done);



	return ret;

}



static bool lowerstate_event_filter(struct hns_roce_bond_group *bond_grp,

drivers/infiniband/hw/hns/hns_roce_bond.h

+1 −1
Original line number Diff line number Diff line
@@ -84,7 +84,7 @@ struct hns_roce_die_info { 
int hns_roce_bond_init(struct hns_roce_dev *hr_dev);

int hns_roce_bond_event(struct notifier_block *self,

			unsigned long event, void *ptr);

int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp);

void hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp);

bool hns_roce_bond_is_active(struct hns_roce_dev *hr_dev);

struct net_device *hns_roce_get_bond_netdev(struct hns_roce_dev *hr_dev);

struct hns_roce_bond_group *hns_roce_get_bond_grp(struct net_device *net_dev,