Hi Linus,
It's late in the game, I know, but these fixes seemed important enough
to warrant a late pull request. They all involve oopses or use after
frees or corruptions. Explanation of each in the tag message. Thanks!
The following changes since commit 0b5c9279e568d90903acedc2b9b832d8d78e8288:
IB/ipoib: For sendonly join free the multicast group on leave
(2015-10-13 16:43:59 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma.git
tags/for-linus
for you to fetch changes up to 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4:
IB/cm: Fix rb-tree duplicate free and use-after-free (2015-10-21
15:43:12 -0400)
----------------------------------------------------------------
Changes for 4.3-rc6
6 serious fixes:
1) Hold the mutex around the find and corresponding update of our gid
2) The ifa list is rcu protected, copy its contents under rcu to avoid
using a freed structure
3) On error, netdev might be null, so check it before trying to release it
4) On init, if workqueue alloc fails, fail init
5) The new demux patches exposed a bug in mlx5 and ipath drivers, we need
to use the payload P_Key to determine the P_Key the packet arrived on
because the hardware doesn't tell us the truth
6) Due to a couple convoluted error flows, it is possible for the CM to
trigger a use_after_free and a double_free of rb nodes. Add two
checks to prevent that. This code has worked for 10+ years. It is
likely that some of the recent changes have caused this issue to
surface. The current patch will protect us from nasty events for
now while we track down why this is just now showing up.
----------------------------------------------------------------
Doron Tsur (2):
IB/core: Fix memory corruption in ib_cache_gid_set_default_gid
IB/cm: Fix rb-tree duplicate free and use-after-free
Haggai Eran (2):
IB/cma: Potential NULL dereference in cma_id_from_event
IB/cma: Use inner P_Key to determine netdev
Matan Barak (1):
IB/core: Fix use after free of ifa
Sasha Levin (1):
IB/ucma: check workqueue allocation before usage
drivers/infiniband/core/cache.c | 2 +-
drivers/infiniband/core/cm.c | 10 +++++++++-
drivers/infiniband/core/cma.c | 6 +++---
drivers/infiniband/core/roce_gid_mgmt.c | 35
+++++++++++++++++++++++++--------
drivers/infiniband/core/ucma.c | 7 ++++++-
5 files changed, 46 insertions(+), 14 deletions(-)
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: 0E572FDD
Attachment:
signature.asc
Description: OpenPGP digital signature
