Commit 8e1183ad authored by Md Haris Iqbal's avatar Md Haris Iqbal Committed by Dong Chenchen
Browse files

RDMA/rtrs-srv: Avoid null pointer deref during path establishment 

mainline inclusion
from mainline-v6.12-rc1
commit d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIA
CVE: CVE-2024-50062

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb



--------------------------------

For RTRS path establishment, RTRS client initiates and completes con_num
of connections. After establishing all its connections, the information
is exchanged between the client and server through the info_req message.
During this exchange, it is essential that all connections have been
established, and the state of the RTRS srv path is CONNECTED.

So add these sanity checks, to make sure we detect and abort process in
error scenarios to avoid null pointer deref.

Signed-off-by: default avatarMd Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: default avatarJack Wang <jinpu.wang@ionos.com>
Signed-off-by: default avatarGrzegorz Prajsner <grzegorz.prajsner@ionos.com>
Link: https://patch.msgid.link/20240821112217.41827-9-haris.iqbal@ionos.com


Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
Conflicts:
	drivers/infiniband/ulp/rtrs/rtrs-srv.c
[commit ae4c8164("RDMA/rtrs-srv: Rename rtrs_srv_sess to rtrs_srv_path")
rename rtrs_srv_sess to rtrs_srv_path, which not merged lead to conflicts]
Signed-off-by: default avatarDong Chenchen <dongchenchen2@huawei.com>
parent 81248561

drivers/infiniband/ulp/rtrs/rtrs-srv.c

+11 −2
Original line number Diff line number Diff line
@@ -909,12 +909,11 @@ static void rtrs_srv_info_req_done(struct ib_cq *cq, struct ib_wc *wc) 
	if (unlikely(err))

		goto close;



out:

	rtrs_iu_free(iu, sess->s.dev->ib_dev, 1);

	return;

close:

	rtrs_iu_free(iu, sess->s.dev->ib_dev, 1);

	close_sess(sess);

	goto out;

}



static int post_recv_info_req(struct rtrs_srv_con *con)
@@ -965,6 +964,16 @@ static int post_recv_sess(struct rtrs_srv_sess *sess) 
			q_size = SERVICE_CON_QUEUE_DEPTH;

		else

			q_size = srv->queue_depth;

		if (sess->state != RTRS_SRV_CONNECTING) {

			rtrs_err(s, "Path state invalid. state %s\n",

				 rtrs_srv_state_str(sess->state));

			return -EIO;

		}



		if (!sess->s.con[cid]) {

			rtrs_err(s, "Conn not set for %d\n", cid);

			return -EIO;

		}



		err = post_recv_io(to_srv_con(sess->s.con[cid]), q_size);

		if (unlikely(err)) {