[PATCH OLK-6.6 2/2] RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()

11 Nov 2024

From: Junxian Huang huangjunxian6@hisilicon.com
maillist inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB30V8
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/commit/?id=6b5...
----------------------------------------------------------------------
ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.
The driver needs to check whether it is a NULL pointer before
dereferencing it.
Fixes: 8176dac4d22a ("RDMA/hns: Fix missing pagesize and alignment check in FRMR")
Signed-off-by: Junxian Huang huangjunxian6@hisilicon.com
Link: https://patch.msgid.link/20241108075743.2652258-3-huangjunxian6@hisilicon.co...
Signed-off-by: Leon Romanovsky leon@kernel.org
Signed-off-by: Xinghai Cen cenxinghai@h-partners.com
---
 drivers/infiniband/hw/hns/hns_roce_mr.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
index 86107cb88cca..5c4b6c4f4ca7 100644
--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
+++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
@@ -453,15 +453,16 @@ static int hns_roce_set_page(struct ib_mr *ibmr, u64 addr)
 }
int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
-		       unsigned int *sg_offset)
+		       unsigned int *sg_offset_p)
 {
+	unsigned int sg_offset = sg_offset_p ? *sg_offset_p : 0;
    struct hns_roce_dev *hr_dev = to_hr_dev(ibmr->device);
    struct ib_device *ibdev = &hr_dev->ib_dev;
    struct hns_roce_mr *mr = to_hr_mr(ibmr);
    struct hns_roce_mtr *mtr = &mr->pbl_mtr;
    int ret, sg_num = 0;
-	if (!IS_ALIGNED(*sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||
+	if (!IS_ALIGNED(sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||
        ibmr->page_size < HNS_HW_PAGE_SIZE ||
        ibmr->page_size > HNS_HW_MAX_PAGE_SIZE)
    	return sg_num;
@@ -472,7 +473,7 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
    if (!mr->page_list)
    	return sg_num;
-	sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page);
+	sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset_p, hns_roce_set_page);
    if (sg_num < 1) {
    	ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n",
    		  mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num);
-- 
2.33.0


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-6.6 2/2] RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()