[PATCH 3.2 42/59] IB/core: If the MGID/MLID pair is not on the list return an error

From: Ben Hutchings
Date: Fri Aug 18 2017 - 10:11:22 EST


3.2.92-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Michael J. Ruhl" <michael.j.ruhl@xxxxxxxxx>

commit 20c7840a77ddcb2ed2fbd66e8197db2868495751 upstream.

A list of MGID/MLID pairs is built when doing a multicast attach. When
the multicast detach is called, the list is searched, and regardless of
the search outcome, the driver detach is called.

If an MGID/MLID pair is not on the list, driver detach should not be
called, and an error should be returned. Calling the driver without
removing an MGID/MLID pair from the list can leave the core and driver
out of sync.

Fixes: f4e401562c11 ("IB/uverbs: track multicast group membership for userspace QPs")
Reviewed-by: Ira Weiny <ira.weiny@xxxxxxxxx>
Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@xxxxxxxxx>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@xxxxxxxxx>
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
drivers/infiniband/core/uverbs_cmd.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2440,6 +2440,7 @@ ssize_t ib_uverbs_detach_mcast(struct ib
struct ib_qp *qp;
struct ib_uverbs_mcast_entry *mcast;
int ret = -EINVAL;
+ bool found = false;

if (copy_from_user(&cmd, buf, sizeof cmd))
return -EFAULT;
@@ -2448,10 +2449,6 @@ ssize_t ib_uverbs_detach_mcast(struct ib
if (!qp)
return -EINVAL;

- ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid);
- if (ret)
- goto out_put;
-
obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);

list_for_each_entry(mcast, &obj->mcast_list, list)
@@ -2459,9 +2456,17 @@ ssize_t ib_uverbs_detach_mcast(struct ib
!memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
list_del(&mcast->list);
kfree(mcast);
+ found = true;
break;
}

+ if (!found) {
+ ret = -EINVAL;
+ goto out_put;
+ }
+
+ ret = ib_detach_mcast(qp, (union ib_gid *)cmd.gid, cmd.mlid);
+
out_put:
put_qp_write(qp);