Skip to content

Commit c296c0b

Browse files
committed
Merge branch 'smc-fixes'
Guangguan Wang says: ==================== net: several fixes for smc v1 -> v2: rewrite patch #2 suggested by Paolo. ==================== Signed-off-by: David S. Miller <[email protected]>
2 parents 429fde2 + c5b8ee5 commit c296c0b

File tree

4 files changed

+58
-8
lines changed

4 files changed

+58
-8
lines changed

net/smc/af_smc.c

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2032,6 +2032,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc,
20322032
if (pclc->hdr.typev1 == SMC_TYPE_N)
20332033
return 0;
20342034
pclc_prfx = smc_clc_proposal_get_prefix(pclc);
2035+
if (!pclc_prfx)
2036+
return -EPROTO;
20352037
if (smc_clc_prfx_match(newclcsock, pclc_prfx))
20362038
return SMC_CLC_DECL_DIFFPREFIX;
20372039

@@ -2145,6 +2147,8 @@ static void smc_find_ism_v2_device_serv(struct smc_sock *new_smc,
21452147
pclc_smcd = smc_get_clc_msg_smcd(pclc);
21462148
smc_v2_ext = smc_get_clc_v2_ext(pclc);
21472149
smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext);
2150+
if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext)
2151+
goto not_found;
21482152

21492153
mutex_lock(&smcd_dev_list.mutex);
21502154
if (pclc_smcd->ism.chid) {
@@ -2221,7 +2225,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc,
22212225
int rc = 0;
22222226

22232227
/* check if ISM V1 is available */
2224-
if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1))
2228+
if (!(ini->smcd_version & SMC_V1) ||
2229+
!smcd_indicated(ini->smc_type_v1) ||
2230+
!pclc_smcd)
22252231
goto not_found;
22262232
ini->is_smcd = true; /* prepare ISM check */
22272233
ini->ism_peer_gid[0].gid = ntohll(pclc_smcd->ism.gid);
@@ -2272,7 +2278,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc,
22722278
goto not_found;
22732279

22742280
smc_v2_ext = smc_get_clc_v2_ext(pclc);
2275-
if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
2281+
if (!smc_v2_ext ||
2282+
!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
22762283
goto not_found;
22772284

22782285
/* prepare RDMA check */
@@ -2881,6 +2888,13 @@ __poll_t smc_poll(struct file *file, struct socket *sock,
28812888
} else {
28822889
sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
28832890
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
2891+
2892+
if (sk->sk_state != SMC_INIT) {
2893+
/* Race breaker the same way as tcp_poll(). */
2894+
smp_mb__after_atomic();
2895+
if (atomic_read(&smc->conn.sndbuf_space))
2896+
mask |= EPOLLOUT | EPOLLWRNORM;
2897+
}
28842898
}
28852899
if (atomic_read(&smc->conn.bytes_to_rcv))
28862900
mask |= EPOLLIN | EPOLLRDNORM;

net/smc/smc_clc.c

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -352,8 +352,11 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
352352
struct smc_clc_msg_hdr *hdr = &pclc->hdr;
353353
struct smc_clc_v2_extension *v2_ext;
354354

355-
v2_ext = smc_get_clc_v2_ext(pclc);
356355
pclc_prfx = smc_clc_proposal_get_prefix(pclc);
356+
if (!pclc_prfx ||
357+
pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
358+
return false;
359+
357360
if (hdr->version == SMC_V1) {
358361
if (hdr->typev1 == SMC_TYPE_N)
359362
return false;
@@ -365,6 +368,13 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
365368
sizeof(struct smc_clc_msg_trail))
366369
return false;
367370
} else {
371+
v2_ext = smc_get_clc_v2_ext(pclc);
372+
if ((hdr->typev2 != SMC_TYPE_N &&
373+
(!v2_ext || v2_ext->hdr.eid_cnt > SMC_CLC_MAX_UEID)) ||
374+
(smcd_indicated(hdr->typev2) &&
375+
v2_ext->hdr.ism_gid_cnt > SMCD_CLC_MAX_V2_GID_ENTRIES))
376+
return false;
377+
368378
if (ntohs(hdr->length) !=
369379
sizeof(*pclc) +
370380
sizeof(struct smc_clc_msg_smcd) +
@@ -764,6 +774,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
764774
SMC_CLC_RECV_BUF_LEN : datlen;
765775
iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen);
766776
len = sock_recvmsg(smc->clcsock, &msg, krflags);
777+
if (len < recvlen) {
778+
smc->sk.sk_err = EPROTO;
779+
reason_code = -EPROTO;
780+
goto out;
781+
}
767782
datlen -= len;
768783
}
769784
if (clcm->type == SMC_CLC_DECLINE) {

net/smc/smc_clc.h

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -336,8 +336,12 @@ struct smc_clc_msg_decline_v2 { /* clc decline message */
336336
static inline struct smc_clc_msg_proposal_prefix *
337337
smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc)
338338
{
339+
u16 offset = ntohs(pclc->iparea_offset);
340+
341+
if (offset > sizeof(struct smc_clc_msg_smcd))
342+
return NULL;
339343
return (struct smc_clc_msg_proposal_prefix *)
340-
((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset));
344+
((u8 *)pclc + sizeof(*pclc) + offset);
341345
}
342346

343347
static inline bool smcr_indicated(int smc_type)
@@ -376,8 +380,14 @@ static inline struct smc_clc_v2_extension *
376380
smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
377381
{
378382
struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop);
383+
u16 max_offset;
379384

380-
if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset))
385+
max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
386+
offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) -
387+
offsetofend(struct smc_clc_msg_smcd, v2_ext_offset);
388+
389+
if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) ||
390+
ntohs(prop_smcd->v2_ext_offset) > max_offset)
381391
return NULL;
382392

383393
return (struct smc_clc_v2_extension *)
@@ -390,9 +400,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
390400
static inline struct smc_clc_smcd_v2_extension *
391401
smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
392402
{
403+
u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) -
404+
offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
405+
offsetof(struct smc_clc_v2_extension, hdr) -
406+
offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset);
407+
393408
if (!prop_v2ext)
394409
return NULL;
395-
if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset))
410+
if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) ||
411+
ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset)
396412
return NULL;
397413

398414
return (struct smc_clc_smcd_v2_extension *)

net/smc/smc_core.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1818,7 +1818,9 @@ void smcr_link_down_cond_sched(struct smc_link *lnk)
18181818
{
18191819
if (smc_link_downing(&lnk->state)) {
18201820
trace_smcr_link_down(lnk, __builtin_return_address(0));
1821-
schedule_work(&lnk->link_down_wrk);
1821+
smcr_link_hold(lnk); /* smcr_link_put in link_down_wrk */
1822+
if (!schedule_work(&lnk->link_down_wrk))
1823+
smcr_link_put(lnk);
18221824
}
18231825
}
18241826

@@ -1850,11 +1852,14 @@ static void smc_link_down_work(struct work_struct *work)
18501852
struct smc_link_group *lgr = link->lgr;
18511853

18521854
if (list_empty(&lgr->list))
1853-
return;
1855+
goto out;
18541856
wake_up_all(&lgr->llc_msg_waiter);
18551857
down_write(&lgr->llc_conf_mutex);
18561858
smcr_link_down(link);
18571859
up_write(&lgr->llc_conf_mutex);
1860+
1861+
out:
1862+
smcr_link_put(link); /* smcr_link_hold by schedulers of link_down_work */
18581863
}
18591864

18601865
static int smc_vlan_by_tcpsk_walk(struct net_device *lower_dev,

0 commit comments

Comments
 (0)