[for-next] RDMA/hns: Fix memory corruption when allocating XRCDN

Commit Message

Weihang Li March 19, 2021, 8:45 a.m. UTC

It's incorrect to cast the type of pointer to xrcdn from (u32 *) to
(unsigned long *), then pass it into hns_roce_bitmap_alloc(), this will
lead to a memory corruption.

Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Weihang Li <liweihang@huawei.com>
---
 drivers/infiniband/hw/hns/hns_roce_pd.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

Leon Romanovsky March 20, 2021, 9:32 a.m. UTC | #1

On Fri, Mar 19, 2021 at 04:45:36PM +0800, Weihang Li wrote:
> It's incorrect to cast the type of pointer to xrcdn from (u32 *) to
> (unsigned long *), then pass it into hns_roce_bitmap_alloc(), this will
> lead to a memory corruption.
> 
> Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Weihang Li <liweihang@huawei.com>
> ---
>  drivers/infiniband/hw/hns/hns_roce_pd.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/infiniband/hw/hns/hns_roce_pd.c b/drivers/infiniband/hw/hns/hns_roce_pd.c
> index 3ca51ce..16d6b69 100644
> --- a/drivers/infiniband/hw/hns/hns_roce_pd.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
> @@ -140,8 +140,14 @@ void hns_roce_cleanup_uar_table(struct hns_roce_dev *hr_dev)
>  
>  static int hns_roce_xrcd_alloc(struct hns_roce_dev *hr_dev, u32 *xrcdn)
>  {
> -	return hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap,
> -				     (unsigned long *)xrcdn);
> +	unsigned long obj;
> +	int ret;
> +
> +	ret = hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap, &obj);
> +
> +	*xrcdn = (u32)obj;

NIT, it will be safer if you don't set set xrcdn after hns_roce_bitmap_alloc() failed.

Thanks

> +
> +	return ret;
>  }
>  
>  static void hns_roce_xrcd_free(struct hns_roce_dev *hr_dev,
> -- 
> 2.8.1
>

Weihang Li March 22, 2021, 2 a.m. UTC | #2

On 2021/3/20 17:33, Leon Romanovsky wrote:
> On Fri, Mar 19, 2021 at 04:45:36PM +0800, Weihang Li wrote:
>> It's incorrect to cast the type of pointer to xrcdn from (u32 *) to
>> (unsigned long *), then pass it into hns_roce_bitmap_alloc(), this will
>> lead to a memory corruption.
>>
>> Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>> Signed-off-by: Weihang Li <liweihang@huawei.com>
>> ---
>>  drivers/infiniband/hw/hns/hns_roce_pd.c | 10 ++++++++--
>>  1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/infiniband/hw/hns/hns_roce_pd.c b/drivers/infiniband/hw/hns/hns_roce_pd.c
>> index 3ca51ce..16d6b69 100644
>> --- a/drivers/infiniband/hw/hns/hns_roce_pd.c
>> +++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
>> @@ -140,8 +140,14 @@ void hns_roce_cleanup_uar_table(struct hns_roce_dev *hr_dev)
>>  
>>  static int hns_roce_xrcd_alloc(struct hns_roce_dev *hr_dev, u32 *xrcdn)
>>  {
>> -	return hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap,
>> -				     (unsigned long *)xrcdn);
>> +	unsigned long obj;
>> +	int ret;
>> +
>> +	ret = hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap, &obj);
>> +
>> +	*xrcdn = (u32)obj;
> 
> NIT, it will be safer if you don't set set xrcdn after hns_roce_bitmap_alloc() failed.
> 
> Thanks
> 
>> +
>> +	return ret;
>>  }
>>  
>>  static void hns_roce_xrcd_free(struct hns_roce_dev *hr_dev,
>> -- 
>> 2.8.1
>>

Thank you, I will fix it.

Weihang

Patch

diff --git a/drivers/infiniband/hw/hns/hns_roce_pd.c b/drivers/infiniband/hw/hns/hns_roce_pd.c
index 3ca51ce..16d6b69 100644
--- a/drivers/infiniband/hw/hns/hns_roce_pd.c
+++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
@@ -140,8 +140,14 @@  void hns_roce_cleanup_uar_table(struct hns_roce_dev *hr_dev)
 
 static int hns_roce_xrcd_alloc(struct hns_roce_dev *hr_dev, u32 *xrcdn)
 {
-	return hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap,
-				     (unsigned long *)xrcdn);
+	unsigned long obj;
+	int ret;
+
+	ret = hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap, &obj);
+
+	*xrcdn = (u32)obj;
+
+	return ret;
 }
 
 static void hns_roce_xrcd_free(struct hns_roce_dev *hr_dev,