Commit 7162a3e0 authored by Roland Dreier's avatar Roland Dreier
Browse files

[IB] uverbs: Avoid NULL pointer deref on CQ async event 



Userspace CQs that have no completion event channel attached end up
with their cq_context set to NULL.  However, asynchronous events like
"CQ overrun" can still occur on such CQs, so add a uverbs_file member
to struct ib_ucq_object that we can follow to deliver these events.

Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent a20583a7

drivers/infiniband/core/uverbs.h

+1 −0
Original line number Diff line number Diff line
@@ -113,6 +113,7 @@ struct ib_uevent_object { 


struct ib_ucq_object {

	struct ib_uobject	uobject;

	struct ib_uverbs_file  *uverbs_file;

	struct list_head	comp_list;

	struct list_head	async_list;

	u32			comp_events_reported;

drivers/infiniband/core/uverbs_cmd.c

+1 −0
Original line number Diff line number Diff line
@@ -602,6 +602,7 @@ ssize_t ib_uverbs_create_cq(struct ib_uverbs_file *file, 


	uobj->uobject.user_handle   = cmd.user_handle;

	uobj->uobject.context       = file->ucontext;

	uobj->uverbs_file	    = file;

	uobj->comp_events_reported  = 0;

	uobj->async_events_reported = 0;

	INIT_LIST_HEAD(&uobj->comp_list);

drivers/infiniband/core/uverbs_main.c

+3 −6
Original line number Diff line number Diff line
@@ -442,13 +442,10 @@ static void ib_uverbs_async_handler(struct ib_uverbs_file *file, 


void ib_uverbs_cq_event_handler(struct ib_event *event, void *context_ptr)

{

	struct ib_uverbs_event_file *ev_file = context_ptr;

	struct ib_ucq_object *uobj;



	uobj = container_of(event->element.cq->uobject,

	struct ib_ucq_object *uobj = container_of(event->element.cq->uobject,

						  struct ib_ucq_object, uobject);



	ib_uverbs_async_handler(ev_file->uverbs_file, uobj->uobject.user_handle,

	ib_uverbs_async_handler(uobj->uverbs_file, uobj->uobject.user_handle,

				event->event, &uobj->async_list,

				&uobj->async_events_reported);

CRA Git | Maintained and supported by SUSTech CRA and CCSE