Upstream: Yes AR20220107959359
bond_grp is freed after hns_roce_cleanup_bond(). Move the clear bond printing into hns_roce_cleanup_bond() to avoid UAF. Plus, the return value of hns_roce_cleanup_bond() is removed since it's not being used any more.
Fixes: 991fd7d3bc75 ("RDMA/hns: Fix several memory issues in roce bonding") Signed-off-by: Junxian Huang huangjunxian6@hisilicon.com --- drivers/infiniband/hw/hns/hns_roce_bond.c | 12 +++++------- drivers/infiniband/hw/hns/hns_roce_bond.h | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_bond.c b/drivers/infiniband/hw/hns/hns_roce_bond.c index da509debd90f..e7103943050c 100644 --- a/drivers/infiniband/hw/hns/hns_roce_bond.c +++ b/drivers/infiniband/hw/hns/hns_roce_bond.c @@ -258,10 +258,7 @@ static void hns_roce_clear_bond(struct hns_roce_bond_group *bond_grp) }
out: - ret = hns_roce_cleanup_bond(bond_grp); - if (!ret) - ibdev_info(&bond_grp->main_hr_dev->ib_dev, - "RoCE clear bond finished!\n"); + hns_roce_cleanup_bond(bond_grp); }
static void hns_roce_slave_changestate(struct hns_roce_bond_group *bond_grp) @@ -690,7 +687,7 @@ static void hns_roce_detach_bond_grp(struct hns_roce_bond_group *bond_grp) memset(bond_grp->bond_func_info, 0, sizeof(bond_grp->bond_func_info)); }
-int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp) +void hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp) { int ret;
@@ -698,11 +695,12 @@ int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp) hns_roce_cmd_bond(bond_grp, HNS_ROCE_CLEAR_BOND) : -EIO; if (ret) BOND_ERR_LOG("failed to clear RoCE bond, ret = %d.\n", ret); + else + ibdev_info(&bond_grp->main_hr_dev->ib_dev, + "RoCE clear bond finished!\n");
hns_roce_detach_bond_grp(bond_grp); complete(&bond_grp->bond_work_done); - - return ret; }
static bool lowerstate_event_filter(struct hns_roce_bond_group *bond_grp, diff --git a/drivers/infiniband/hw/hns/hns_roce_bond.h b/drivers/infiniband/hw/hns/hns_roce_bond.h index 84cd243403ef..160657a32bfd 100644 --- a/drivers/infiniband/hw/hns/hns_roce_bond.h +++ b/drivers/infiniband/hw/hns/hns_roce_bond.h @@ -84,7 +84,7 @@ struct hns_roce_die_info { int hns_roce_bond_init(struct hns_roce_dev *hr_dev); int hns_roce_bond_event(struct notifier_block *self, unsigned long event, void *ptr); -int hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp); +void hns_roce_cleanup_bond(struct hns_roce_bond_group *bond_grp); bool hns_roce_bond_is_active(struct hns_roce_dev *hr_dev); struct net_device *hns_roce_get_bond_netdev(struct hns_roce_dev *hr_dev); struct hns_roce_bond_group *hns_roce_get_bond_grp(struct net_device *net_dev,