From f4b682d5655a14661118bcef63853b55361df269 Mon Sep 17 00:00:00 2001
From: Md Haris Iqbal <haris.iqbal@ionos.com>
Date: Tue, 29 Oct 2024 15:16:12 +0800
Subject: [PATCH] RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

mainline inclusion
from mainline-v6.12-rc1
commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK0
CVE: CVE-2024-47695

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e4289b29e216a55d08a89e126bc0b37cbad9f38

-------------------------------------------------

In the function init_conns(), after the create_con() and create_cm() for
loop if something fails. In the cleanup for loop after the destroy tag, we
access out of bound memory because cid is set to clt_path->s.con_num.

This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds
in the cleanup loop later.

Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Grzegorz Prajsner <grzegorz.prajsner@ionos.com>
Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>

Conflicts:
	drivers/infiniband/ulp/rtrs/rtrs-clt.c
[Did not backport 9c29c8c7df068, caa84d95c78f3.]
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
 drivers/infiniband/ulp/rtrs/rtrs-clt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
index 5c39e4c4bef7..aa3baee189c7 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -2231,6 +2231,12 @@ static int init_conns(struct rtrs_clt_sess *sess)
 			goto destroy;
 		}
 	}
+
+	/*
+	 * Set the cid to con_num - 1, since if we fail later, we want to stay in bounds.
+	 */
+	cid = sess->s.con_num - 1;
+
 	err = alloc_sess_reqs(sess);
 	if (err)
 		goto destroy;
-- 
Gitee