From: Zhao Weibo zhaoweibo3@huawei.com
driver inclusion category: bugfix bugzilla: NA CVE: NA
----------------------------------------
There may be a out-of-bonds-read if qp type is RC in post send.
Reviewed-by: Hu Chunzhi huchunzhi@huawei.com Signed-off-by: Zhao Weibo zhaoweibo3@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 637f68d..5a112f5 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -334,13 +334,13 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, #endif { struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device); - struct hns_roce_ah *ah = to_hr_ah(ud_wr(wr)->ah); struct hns_roce_v2_ud_send_wqe *ud_sq_wqe; struct hns_roce_v2_rc_send_wqe *rc_sq_wqe; struct hns_roce_qp *qp = to_hr_qp(ibqp); struct hns_roce_v2_wqe_data_seg *dseg; struct hns_roce_wqe_frmr_seg *fseg; struct device *dev = hr_dev->dev; + struct hns_roce_ah *ah = NULL; struct hns_roce_v2_db sq_db; unsigned int sge_ind; unsigned int owner_bit; @@ -414,6 +414,7 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
/* Corresponding to the QP type, wqe process separately */ if (ibqp->qp_type == IB_QPT_GSI || ibqp->qp_type == IB_QPT_UD) { + ah = to_hr_ah(ud_wr(wr)->ah); ud_sq_wqe = wqe; memset(ud_sq_wqe, 0, sizeof(*ud_sq_wqe));