Commit 8001b717 authored by Dan Carpenter's avatar Dan Carpenter Committed by Jason Gunthorpe

rdma/cxgb4: fix some info leaks

In c4iw_create_qp() there are several struct members which potentially
aren't inintialized like uresp.rq_key.  I've fixed this code before in
in commit ae1fe07f ("RDMA/cxgb4: Fix stack info leak in
c4iw_create_qp()") so this time I'm just going to take a big hammer
approach and memset the whole struct to zero.  Hopefully, it will stay
fixed this time.

In c4iw_create_srq() we don't clear uresp.reserved.

Fixes: 6a0b6174 ("rdma/cxgb4: Add support for kernel mode SRQ's")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarRaju Rangoju <rajur@chelsio.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
parent 0425e3e6
...@@ -2088,6 +2088,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs, ...@@ -2088,6 +2088,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
goto err_free_sq_db_key; goto err_free_sq_db_key;
} }
} }
memset(&uresp, 0, sizeof(uresp));
if (t4_sq_onchip(&qhp->wq.sq)) { if (t4_sq_onchip(&qhp->wq.sq)) {
ma_sync_key_mm = kmalloc(sizeof(*ma_sync_key_mm), ma_sync_key_mm = kmalloc(sizeof(*ma_sync_key_mm),
GFP_KERNEL); GFP_KERNEL);
...@@ -2096,8 +2097,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs, ...@@ -2096,8 +2097,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
goto err_free_rq_db_key; goto err_free_rq_db_key;
} }
uresp.flags = C4IW_QPF_ONCHIP; uresp.flags = C4IW_QPF_ONCHIP;
} else }
uresp.flags = 0;
uresp.qid_mask = rhp->rdev.qpmask; uresp.qid_mask = rhp->rdev.qpmask;
uresp.sqid = qhp->wq.sq.qid; uresp.sqid = qhp->wq.sq.qid;
uresp.sq_size = qhp->wq.sq.size; uresp.sq_size = qhp->wq.sq.size;
...@@ -2111,8 +2111,6 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs, ...@@ -2111,8 +2111,6 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
if (ma_sync_key_mm) { if (ma_sync_key_mm) {
uresp.ma_sync_key = ucontext->key; uresp.ma_sync_key = ucontext->key;
ucontext->key += PAGE_SIZE; ucontext->key += PAGE_SIZE;
} else {
uresp.ma_sync_key = 0;
} }
uresp.sq_key = ucontext->key; uresp.sq_key = ucontext->key;
ucontext->key += PAGE_SIZE; ucontext->key += PAGE_SIZE;
...@@ -2601,6 +2599,7 @@ struct ib_srq *c4iw_create_srq(struct ib_pd *pd, struct ib_srq_init_attr *attrs, ...@@ -2601,6 +2599,7 @@ struct ib_srq *c4iw_create_srq(struct ib_pd *pd, struct ib_srq_init_attr *attrs,
ret = -ENOMEM; ret = -ENOMEM;
goto err_free_srq_key_mm; goto err_free_srq_key_mm;
} }
memset(&uresp, 0, sizeof(uresp));
uresp.flags = srq->flags; uresp.flags = srq->flags;
uresp.qid_mask = rhp->rdev.qpmask; uresp.qid_mask = rhp->rdev.qpmask;
uresp.srqid = srq->wq.qid; uresp.srqid = srq->wq.qid;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment