Commit b6bd907b authored by Junxian Huang's avatar Junxian Huang Committed by Chengchang Tang
Browse files

RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() 

maillist inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB30V8
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/commit/?id=6b526d17eed850352d880b93b9bf20b93006bd92



----------------------------------------------------------------------

ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.
The driver needs to check whether it is a NULL pointer before
dereferencing it.

Fixes: 8176dac4 ("RDMA/hns: Fix missing pagesize and alignment check in FRMR")
Signed-off-by: default avatarJunxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20241108075743.2652258-3-huangjunxian6@hisilicon.com


Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
Signed-off-by: default avatarXinghai Cen <cenxinghai@h-partners.com>
parent 22707e12

drivers/infiniband/hw/hns/hns_roce_mr.c

+4 −3
Original line number Diff line number Diff line
@@ -453,15 +453,16 @@ static int hns_roce_set_page(struct ib_mr *ibmr, u64 addr) 
}



int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,

		       unsigned int *sg_offset)

		       unsigned int *sg_offset_p)

{

	unsigned int sg_offset = sg_offset_p ? *sg_offset_p : 0;

	struct hns_roce_dev *hr_dev = to_hr_dev(ibmr->device);

	struct ib_device *ibdev = &hr_dev->ib_dev;

	struct hns_roce_mr *mr = to_hr_mr(ibmr);

	struct hns_roce_mtr *mtr = &mr->pbl_mtr;

	int ret, sg_num = 0;



	if (!IS_ALIGNED(*sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||

	if (!IS_ALIGNED(sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||

	    ibmr->page_size < HNS_HW_PAGE_SIZE ||

	    ibmr->page_size > HNS_HW_MAX_PAGE_SIZE)

		return sg_num;
@@ -472,7 +473,7 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents, 
	if (!mr->page_list)

		return sg_num;



	sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page);

	sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset_p, hns_roce_set_page);

	if (sg_num < 1) {

		ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n",

			  mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num);