From: Amir Vadai <amirv@mellanox.co.il>
Date: Mon, 1 Dec 2008 12:49:07 +0000 (+0200)
Subject: sdp: BUG1047 - crash in sdp_destroy_qp() when no memory
X-Git-Tag: v4.1.12-92~264^2~5^2~301
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=b538945b3a81ee4b3df089d96bbd007e722ddcec;p=users%2Fjedix%2Flinux-maple.git

sdp: BUG1047 - crash in sdp_destroy_qp() when no memory

fix initialization of sdp socket special attributes after sk_clone()

Signed-off-by: Amir Vadai <amirv@mellanox.co.il>
---

diff --git a/drivers/infiniband/ulp/sdp/sdp.h b/drivers/infiniband/ulp/sdp/sdp.h
index b2b51e047409e..d9da77679a504 100644
--- a/drivers/infiniband/ulp/sdp/sdp.h
+++ b/drivers/infiniband/ulp/sdp/sdp.h
@@ -351,6 +351,7 @@ int sdp_init_buffers(struct sdp_sock *ssk, u32 new_size);
 void sdp_post_keepalive(struct sdp_sock *ssk);
 void sdp_start_keepalive_timer(struct sock *sk);
 void sdp_bzcopy_write_space(struct sdp_sock *ssk);
+int sdp_init_sock(struct sock *sk);
 
 static inline struct sk_buff *sdp_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
 {
diff --git a/drivers/infiniband/ulp/sdp/sdp_cma.c b/drivers/infiniband/ulp/sdp/sdp_cma.c
index 46adfd7e6661c..ef72509778d31 100644
--- a/drivers/infiniband/ulp/sdp/sdp_cma.c
+++ b/drivers/infiniband/ulp/sdp/sdp_cma.c
@@ -187,8 +187,10 @@ err_mr:
 	ib_dealloc_pd(pd);
 err_pd:
 	kfree(sdp_sk(sk)->rx_ring);
+	sdp_sk(sk)->rx_ring = NULL;
 err_rx:
 	kfree(sdp_sk(sk)->tx_ring);
+	sdp_sk(sk)->tx_ring = NULL;
 err_tx:
 	return rc;
 }
@@ -212,11 +214,9 @@ static int sdp_connect_handler(struct sock *sk, struct rdma_cm_id *id,
 	if (!child)
 		return -ENOMEM;
 
+	sdp_init_sock(child);
+
 	sdp_add_sock(sdp_sk(child));
-	INIT_LIST_HEAD(&sdp_sk(child)->accept_queue);
-	INIT_LIST_HEAD(&sdp_sk(child)->backlog_queue);
-	INIT_DELAYED_WORK(&sdp_sk(child)->dreq_wait_work, sdp_dreq_wait_timeout_work);
-	INIT_WORK(&sdp_sk(child)->destroy_work, sdp_destroy_work);
 
 	dst_addr = (struct sockaddr_in *)&id->route.addr.dst_addr;
 	inet_sk(child)->dport = dst_addr->sin_port;
diff --git a/drivers/infiniband/ulp/sdp/sdp_main.c b/drivers/infiniband/ulp/sdp/sdp_main.c
index 016360672cf2c..dd5463377b1c3 100644
--- a/drivers/infiniband/ulp/sdp/sdp_main.c
+++ b/drivers/infiniband/ulp/sdp/sdp_main.c
@@ -240,8 +240,14 @@ static void sdp_destroy_qp(struct sdp_sock *ssk)
 
 	sdp_remove_large_sock(ssk);
 
-	kfree(ssk->rx_ring);
-	kfree(ssk->tx_ring);
+	if (ssk->rx_ring) {
+		kfree(ssk->rx_ring);
+		ssk->rx_ring = NULL;
+	}
+	if (ssk->tx_ring) {
+		kfree(ssk->tx_ring);
+		ssk->tx_ring = NULL;
+	}
 }
 
 
@@ -902,15 +908,12 @@ out:
 	sock_put(sk, SOCK_REF_DREQ_TO);
 }
 
-static int sdp_init_sock(struct sock *sk)
+int sdp_init_sock(struct sock *sk)
 {
 	struct sdp_sock *ssk = sdp_sk(sk);
-	struct inet_sock *isk = (struct inet_sock *)sk;
 
 	sdp_dbg(sk, "%s\n", __func__);
 
-	memset(isk + 1, 0, sizeof(struct sdp_sock) - sizeof(*isk));
-
 	INIT_LIST_HEAD(&ssk->accept_queue);
 	INIT_LIST_HEAD(&ssk->backlog_queue);
 	INIT_DELAYED_WORK(&ssk->dreq_wait_work, sdp_dreq_wait_timeout_work);
@@ -918,6 +921,8 @@ static int sdp_init_sock(struct sock *sk)
 
 	sk->sk_route_caps |= NETIF_F_SG | NETIF_F_NO_CSUM;
 
+	ssk->rx_ring = NULL;
+	ssk->tx_ring = NULL;
 	ssk->sdp_disconnect = 0;
 	ssk->destructed_already = 0;
 	spin_lock_init(&ssk->lock);
@@ -2230,6 +2235,8 @@ static int sdp_create_socket(struct net *net, struct socket *sock, int protocol)
 	sock_init_data(sock, sk);
 	sk->sk_protocol = 0x0 /* TODO: inherit tcp socket to use IPPROTO_TCP */;
 
+	memset((struct inet_sock *)sk + 1, 0,
+			sizeof(struct sdp_sock) - sizeof(struct inet_sock));
 	rc = sdp_init_sock(sk);
 	if (rc) {
 		sdp_warn(sk, "SDP: failed to init sock.\n");