mirror of
https://github.com/torvalds/linux.git
synced 2024-12-24 11:51:27 +00:00
RDMA/uverbs: Do not check the input length on create_cq/qp paths
If the user did not provide a long enough command buffer then the missing bytes are forced to zero. There is no reason to check the length if a zero value is OK. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
This commit is contained in:
parent
c3bea3d2dc
commit
ece9ca97cc
@ -1018,8 +1018,7 @@ static int ib_uverbs_create_comp_channel(struct uverbs_attr_bundle *attrs,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
|
static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
|
||||||
struct ib_uverbs_ex_create_cq *cmd,
|
struct ib_uverbs_ex_create_cq *cmd)
|
||||||
size_t cmd_sz)
|
|
||||||
{
|
{
|
||||||
struct ib_ucq_object *obj;
|
struct ib_ucq_object *obj;
|
||||||
struct ib_uverbs_completion_event_file *ev_file = NULL;
|
struct ib_uverbs_completion_event_file *ev_file = NULL;
|
||||||
@ -1053,9 +1052,7 @@ static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
|
|||||||
|
|
||||||
attr.cqe = cmd->cqe;
|
attr.cqe = cmd->cqe;
|
||||||
attr.comp_vector = cmd->comp_vector;
|
attr.comp_vector = cmd->comp_vector;
|
||||||
|
attr.flags = cmd->flags;
|
||||||
if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
|
|
||||||
attr.flags = cmd->flags;
|
|
||||||
|
|
||||||
cq = ib_dev->create_cq(ib_dev, &attr, obj->uobject.context,
|
cq = ib_dev->create_cq(ib_dev, &attr, obj->uobject.context,
|
||||||
&attrs->driver_udata);
|
&attrs->driver_udata);
|
||||||
@ -1120,9 +1117,7 @@ static int ib_uverbs_create_cq(struct uverbs_attr_bundle *attrs,
|
|||||||
cmd_ex.comp_vector = cmd.comp_vector;
|
cmd_ex.comp_vector = cmd.comp_vector;
|
||||||
cmd_ex.comp_channel = cmd.comp_channel;
|
cmd_ex.comp_channel = cmd.comp_channel;
|
||||||
|
|
||||||
obj = create_cq(attrs, &cmd_ex,
|
obj = create_cq(attrs, &cmd_ex);
|
||||||
offsetof(typeof(cmd_ex), comp_channel) +
|
|
||||||
sizeof(cmd.comp_channel));
|
|
||||||
return PTR_ERR_OR_ZERO(obj);
|
return PTR_ERR_OR_ZERO(obj);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1143,7 +1138,7 @@ static int ib_uverbs_ex_create_cq(struct uverbs_attr_bundle *attrs,
|
|||||||
if (cmd.reserved)
|
if (cmd.reserved)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
obj = create_cq(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
|
obj = create_cq(attrs, &cmd);
|
||||||
return PTR_ERR_OR_ZERO(obj);
|
return PTR_ERR_OR_ZERO(obj);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1309,7 +1304,7 @@ static int ib_uverbs_destroy_cq(struct uverbs_attr_bundle *attrs,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int create_qp(struct uverbs_attr_bundle *attrs,
|
static int create_qp(struct uverbs_attr_bundle *attrs,
|
||||||
struct ib_uverbs_ex_create_qp *cmd, size_t cmd_sz)
|
struct ib_uverbs_ex_create_qp *cmd)
|
||||||
{
|
{
|
||||||
struct ib_uqp_object *obj;
|
struct ib_uqp_object *obj;
|
||||||
struct ib_device *device;
|
struct ib_device *device;
|
||||||
@ -1319,7 +1314,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
struct ib_cq *scq = NULL, *rcq = NULL;
|
struct ib_cq *scq = NULL, *rcq = NULL;
|
||||||
struct ib_srq *srq = NULL;
|
struct ib_srq *srq = NULL;
|
||||||
struct ib_qp *qp;
|
struct ib_qp *qp;
|
||||||
char *buf;
|
|
||||||
struct ib_qp_init_attr attr = {};
|
struct ib_qp_init_attr attr = {};
|
||||||
struct ib_uverbs_ex_create_qp_resp resp;
|
struct ib_uverbs_ex_create_qp_resp resp;
|
||||||
int ret;
|
int ret;
|
||||||
@ -1338,9 +1332,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
obj->uevent.uobject.user_handle = cmd->user_handle;
|
obj->uevent.uobject.user_handle = cmd->user_handle;
|
||||||
mutex_init(&obj->mcast_lock);
|
mutex_init(&obj->mcast_lock);
|
||||||
|
|
||||||
if (cmd_sz >= offsetof(typeof(*cmd), rwq_ind_tbl_handle) +
|
if (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE) {
|
||||||
sizeof(cmd->rwq_ind_tbl_handle) &&
|
|
||||||
(cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE)) {
|
|
||||||
ind_tbl = uobj_get_obj_read(rwq_ind_table,
|
ind_tbl = uobj_get_obj_read(rwq_ind_table,
|
||||||
UVERBS_OBJECT_RWQ_IND_TBL,
|
UVERBS_OBJECT_RWQ_IND_TBL,
|
||||||
cmd->rwq_ind_tbl_handle, attrs);
|
cmd->rwq_ind_tbl_handle, attrs);
|
||||||
@ -1438,10 +1430,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
INIT_LIST_HEAD(&obj->uevent.event_list);
|
INIT_LIST_HEAD(&obj->uevent.event_list);
|
||||||
INIT_LIST_HEAD(&obj->mcast_list);
|
INIT_LIST_HEAD(&obj->mcast_list);
|
||||||
|
|
||||||
if (cmd_sz >= offsetof(typeof(*cmd), create_flags) +
|
attr.create_flags = cmd->create_flags;
|
||||||
sizeof(cmd->create_flags))
|
|
||||||
attr.create_flags = cmd->create_flags;
|
|
||||||
|
|
||||||
if (attr.create_flags & ~(IB_QP_CREATE_BLOCK_MULTICAST_LOOPBACK |
|
if (attr.create_flags & ~(IB_QP_CREATE_BLOCK_MULTICAST_LOOPBACK |
|
||||||
IB_QP_CREATE_CROSS_CHANNEL |
|
IB_QP_CREATE_CROSS_CHANNEL |
|
||||||
IB_QP_CREATE_MANAGED_SEND |
|
IB_QP_CREATE_MANAGED_SEND |
|
||||||
@ -1463,14 +1452,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
attr.source_qpn = cmd->source_qpn;
|
attr.source_qpn = cmd->source_qpn;
|
||||||
}
|
}
|
||||||
|
|
||||||
buf = (void *)cmd + sizeof(*cmd);
|
|
||||||
if (cmd_sz > sizeof(*cmd))
|
|
||||||
if (!(buf[0] == 0 && !memcmp(buf, buf + 1,
|
|
||||||
cmd_sz - sizeof(*cmd) - 1))) {
|
|
||||||
ret = -EINVAL;
|
|
||||||
goto err_put;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cmd->qp_type == IB_QPT_XRC_TGT)
|
if (cmd->qp_type == IB_QPT_XRC_TGT)
|
||||||
qp = ib_create_qp(pd, &attr);
|
qp = ib_create_qp(pd, &attr);
|
||||||
else
|
else
|
||||||
@ -1594,8 +1575,7 @@ static int ib_uverbs_create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
cmd_ex.qp_type = cmd.qp_type;
|
cmd_ex.qp_type = cmd.qp_type;
|
||||||
cmd_ex.is_srq = cmd.is_srq;
|
cmd_ex.is_srq = cmd.is_srq;
|
||||||
|
|
||||||
return create_qp(attrs, &cmd_ex,
|
return create_qp(attrs, &cmd_ex);
|
||||||
offsetof(typeof(cmd_ex), is_srq) + sizeof(cmd.is_srq));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
|
static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
|
||||||
@ -1614,7 +1594,7 @@ static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
|
|||||||
if (cmd.reserved)
|
if (cmd.reserved)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
return create_qp(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
|
return create_qp(attrs, &cmd);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ib_uverbs_open_qp(struct uverbs_attr_bundle *attrs,
|
static int ib_uverbs_open_qp(struct uverbs_attr_bundle *attrs,
|
||||||
|
Loading…
Reference in New Issue
Block a user