On Mon, Mar 22, 2021 at 10:44:29AM +0800, Weihang Li wrote:
> It's incorrect to cast the type of pointer to xrcdn from (u32 *) to
> (unsigned long *), then pass it into hns_roce_bitmap_alloc(), this will
> lead to a memory corruption.
>
> Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Weihang Li <liweihang@xxxxxxxxxx>
> Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxx>
> ---
> Changes since v1:
> - xrcdn won't be set if hns_roce_bitmap_alloc() fails.
> - Link: https://patchwork.kernel.org/project/linux-rdma/patch/1616143536-24874-1-git-send-email-liweihang@xxxxxxxxxx/
>
> drivers/infiniband/hw/hns/hns_roce_pd.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
Applied to for-next
> diff --git a/drivers/infiniband/hw/hns/hns_roce_pd.c b/drivers/infiniband/hw/hns/hns_roce_pd.c
> index 3ca51ce..68a59ff 100644
> --- a/drivers/infiniband/hw/hns/hns_roce_pd.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
> @@ -140,8 +140,16 @@ void hns_roce_cleanup_uar_table(struct hns_roce_dev *hr_dev)
>
> static int hns_roce_xrcd_alloc(struct hns_roce_dev *hr_dev, u32 *xrcdn)
> {
> - return hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap,
> - (unsigned long *)xrcdn);
> + unsigned long obj;
> + int ret;
> +
> + ret = hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap, &obj);
> + if (ret)
> + return ret;
> +
> + *xrcdn = (u32)obj;
Though this cast is useless, I removed it
Thanks,
Jason
