diff mbox series

[for-next,2/6] RDMA/hfi1: Prevent panic when SDMA is disabled

Message ID 20220520183706.48973.79803.stgit@awfm-01.cornelisnetworks.com (mailing list archive)
State Accepted
Delegated to: Jason Gunthorpe
Headers show
Series Updates for 5.19 | expand

Commit Message

Dennis Dalessandro May 20, 2022, 6:37 p.m. UTC
From: Douglas Miller <doug.miller@cornelisnetworks.com>

If the hfi1 module is loaded with HFI1_CAP_SDMA off,
a call to hfi1_write_iter() will dereference a NULL pointer
and panic. A typical stack frame is:

sdma_select_user_engine [hfi1]
hfi1_user_sdma_process_request [hfi1]
hfi1_write_iter [hfi1]
do_iter_readv_writev
do_iter_write
vfs_writev
do_writev
do_syscall_64

The fix is to test for SDMA in hfi1_write_iter() and fail
the I/O with EINVAL.

Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
---
 drivers/infiniband/hw/hfi1/file_ops.c |    3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c
index 1783a6e..cb65f31 100644
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -265,6 +265,9 @@  static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from)
 	unsigned long dim = from->nr_segs;
 	int idx;
 
+	if (!HFI1_CAP_IS_KSET(SDMA)) {
+		return -EINVAL;
+	}
 	idx = srcu_read_lock(&fd->pq_srcu);
 	pq = srcu_dereference(fd->pq, &fd->pq_srcu);
 	if (!cq || !pq) {