sdp: BUG1047 - crash in sdp_destroy_qp() when no memory

fix initialization of sdp socket special attributes after sk_clone()

Signed-off-by: Amir Vadai <amirv@mellanox.co.il>

diff --git a/drivers/infiniband/ulp/sdp/sdp.h b/drivers/infiniband/ulp/sdp/sdp.h
index b2b51e047409ea9a7f2c1d5d468fcd19669bc714..d9da77679a5041d9941697073ed5f459af9875d7 100644 (file)
--- a/drivers/infiniband/ulp/sdp/sdp.h
+++ b/drivers/infiniband/ulp/sdp/sdp.h
@@ -351,6 +351,7 @@ int sdp_init_buffers(struct sdp_sock *ssk, u32 new_size);
 void sdp_post_keepalive(struct sdp_sock *ssk);
 void sdp_start_keepalive_timer(struct sock *sk);
 void sdp_bzcopy_write_space(struct sdp_sock *ssk);
+int sdp_init_sock(struct sock *sk);
 
 static inline struct sk_buff *sdp_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
 {

diff --git a/drivers/infiniband/ulp/sdp/sdp_cma.c b/drivers/infiniband/ulp/sdp/sdp_cma.c
index 46adfd7e6661c204e30951deb814763aa57ae552..ef72509778d31656478e7078eedcc691a1e49169 100644 (file)
--- a/drivers/infiniband/ulp/sdp/sdp_cma.c
+++ b/drivers/infiniband/ulp/sdp/sdp_cma.c
@@ -187,8 +187,10 @@ err_mr:
        ib_dealloc_pd(pd);
 err_pd:
        kfree(sdp_sk(sk)->rx_ring);
+       sdp_sk(sk)->rx_ring = NULL;
 err_rx:
        kfree(sdp_sk(sk)->tx_ring);
+       sdp_sk(sk)->tx_ring = NULL;
 err_tx:
        return rc;
 }
@@ -212,11 +214,9 @@ static int sdp_connect_handler(struct sock *sk, struct rdma_cm_id *id,
        if (!child)
                return -ENOMEM;
 
+       sdp_init_sock(child);
+
        sdp_add_sock(sdp_sk(child));
-       INIT_LIST_HEAD(&sdp_sk(child)->accept_queue);
-       INIT_LIST_HEAD(&sdp_sk(child)->backlog_queue);
-       INIT_DELAYED_WORK(&sdp_sk(child)->dreq_wait_work, sdp_dreq_wait_timeout_work);
-       INIT_WORK(&sdp_sk(child)->destroy_work, sdp_destroy_work);
 
        dst_addr = (struct sockaddr_in *)&id->route.addr.dst_addr;
        inet_sk(child)->dport = dst_addr->sin_port;

diff --git a/drivers/infiniband/ulp/sdp/sdp_main.c b/drivers/infiniband/ulp/sdp/sdp_main.c
index 016360672cf2c4f5f258bcd52741b7f726650107..dd5463377b1c3507d0977e135e9f781146c76d27 100644 (file)
--- a/drivers/infiniband/ulp/sdp/sdp_main.c
+++ b/drivers/infiniband/ulp/sdp/sdp_main.c
@@ -240,8 +240,14 @@ static void sdp_destroy_qp(struct sdp_sock *ssk)
 
        sdp_remove_large_sock(ssk);
 
-       kfree(ssk->rx_ring);
-       kfree(ssk->tx_ring);
+       if (ssk->rx_ring) {
+               kfree(ssk->rx_ring);
+               ssk->rx_ring = NULL;
+       }
+       if (ssk->tx_ring) {
+               kfree(ssk->tx_ring);
+               ssk->tx_ring = NULL;
+       }
 }
 
 
@@ -902,15 +908,12 @@ out:
        sock_put(sk, SOCK_REF_DREQ_TO);
 }
 
-static int sdp_init_sock(struct sock *sk)
+int sdp_init_sock(struct sock *sk)
 {
        struct sdp_sock *ssk = sdp_sk(sk);
-       struct inet_sock *isk = (struct inet_sock *)sk;
 
        sdp_dbg(sk, "%s\n", __func__);
 
-       memset(isk + 1, 0, sizeof(struct sdp_sock) - sizeof(*isk));
-
        INIT_LIST_HEAD(&ssk->accept_queue);
        INIT_LIST_HEAD(&ssk->backlog_queue);
        INIT_DELAYED_WORK(&ssk->dreq_wait_work, sdp_dreq_wait_timeout_work);
@@ -918,6 +921,8 @@ static int sdp_init_sock(struct sock *sk)
 
        sk->sk_route_caps |= NETIF_F_SG | NETIF_F_NO_CSUM;
 
+       ssk->rx_ring = NULL;
+       ssk->tx_ring = NULL;
        ssk->sdp_disconnect = 0;
        ssk->destructed_already = 0;
        spin_lock_init(&ssk->lock);
@@ -2230,6 +2235,8 @@ static int sdp_create_socket(struct net *net, struct socket *sock, int protocol)
        sock_init_data(sock, sk);
        sk->sk_protocol = 0x0 /* TODO: inherit tcp socket to use IPPROTO_TCP */;
 
+       memset((struct inet_sock *)sk + 1, 0,
+                       sizeof(struct sdp_sock) - sizeof(struct inet_sock));
        rc = sdp_init_sock(sk);
        if (rc) {
                sdp_warn(sk, "SDP: failed to init sock.\n");