Skip to content

Commit ece9ca9

Browse files
jgunthorpedledford
jgunthorpe
authored and
dledford
committed
RDMA/uverbs: Do not check the input length on create_cq/qp paths
If the user did not provide a long enough command buffer then the missing bytes are forced to zero. There is no reason to check the length if a zero value is OK. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
1 parent c3bea3d commit ece9ca9

File tree

1 file changed

+9
-29
lines changed

1 file changed

+9
-29
lines changed

drivers/infiniband/core/uverbs_cmd.c

Lines changed: 9 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1018,8 +1018,7 @@ static int ib_uverbs_create_comp_channel(struct uverbs_attr_bundle *attrs,
10181018
}
10191019

10201020
static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
1021-
struct ib_uverbs_ex_create_cq *cmd,
1022-
size_t cmd_sz)
1021+
struct ib_uverbs_ex_create_cq *cmd)
10231022
{
10241023
struct ib_ucq_object *obj;
10251024
struct ib_uverbs_completion_event_file *ev_file = NULL;
@@ -1053,9 +1052,7 @@ static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
10531052

10541053
attr.cqe = cmd->cqe;
10551054
attr.comp_vector = cmd->comp_vector;
1056-
1057-
if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
1058-
attr.flags = cmd->flags;
1055+
attr.flags = cmd->flags;
10591056

10601057
cq = ib_dev->create_cq(ib_dev, &attr, obj->uobject.context,
10611058
&attrs->driver_udata);
@@ -1120,9 +1117,7 @@ static int ib_uverbs_create_cq(struct uverbs_attr_bundle *attrs,
11201117
cmd_ex.comp_vector = cmd.comp_vector;
11211118
cmd_ex.comp_channel = cmd.comp_channel;
11221119

1123-
obj = create_cq(attrs, &cmd_ex,
1124-
offsetof(typeof(cmd_ex), comp_channel) +
1125-
sizeof(cmd.comp_channel));
1120+
obj = create_cq(attrs, &cmd_ex);
11261121
return PTR_ERR_OR_ZERO(obj);
11271122
}
11281123

@@ -1143,7 +1138,7 @@ static int ib_uverbs_ex_create_cq(struct uverbs_attr_bundle *attrs,
11431138
if (cmd.reserved)
11441139
return -EINVAL;
11451140

1146-
obj = create_cq(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
1141+
obj = create_cq(attrs, &cmd);
11471142
return PTR_ERR_OR_ZERO(obj);
11481143
}
11491144

@@ -1309,7 +1304,7 @@ static int ib_uverbs_destroy_cq(struct uverbs_attr_bundle *attrs,
13091304
}
13101305

13111306
static int create_qp(struct uverbs_attr_bundle *attrs,
1312-
struct ib_uverbs_ex_create_qp *cmd, size_t cmd_sz)
1307+
struct ib_uverbs_ex_create_qp *cmd)
13131308
{
13141309
struct ib_uqp_object *obj;
13151310
struct ib_device *device;
@@ -1319,7 +1314,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
13191314
struct ib_cq *scq = NULL, *rcq = NULL;
13201315
struct ib_srq *srq = NULL;
13211316
struct ib_qp *qp;
1322-
char *buf;
13231317
struct ib_qp_init_attr attr = {};
13241318
struct ib_uverbs_ex_create_qp_resp resp;
13251319
int ret;
@@ -1338,9 +1332,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
13381332
obj->uevent.uobject.user_handle = cmd->user_handle;
13391333
mutex_init(&obj->mcast_lock);
13401334

1341-
if (cmd_sz >= offsetof(typeof(*cmd), rwq_ind_tbl_handle) +
1342-
sizeof(cmd->rwq_ind_tbl_handle) &&
1343-
(cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE)) {
1335+
if (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE) {
13441336
ind_tbl = uobj_get_obj_read(rwq_ind_table,
13451337
UVERBS_OBJECT_RWQ_IND_TBL,
13461338
cmd->rwq_ind_tbl_handle, attrs);
@@ -1438,10 +1430,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
14381430
INIT_LIST_HEAD(&obj->uevent.event_list);
14391431
INIT_LIST_HEAD(&obj->mcast_list);
14401432

1441-
if (cmd_sz >= offsetof(typeof(*cmd), create_flags) +
1442-
sizeof(cmd->create_flags))
1443-
attr.create_flags = cmd->create_flags;
1444-
1433+
attr.create_flags = cmd->create_flags;
14451434
if (attr.create_flags & ~(IB_QP_CREATE_BLOCK_MULTICAST_LOOPBACK |
14461435
IB_QP_CREATE_CROSS_CHANNEL |
14471436
IB_QP_CREATE_MANAGED_SEND |
@@ -1463,14 +1452,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
14631452
attr.source_qpn = cmd->source_qpn;
14641453
}
14651454

1466-
buf = (void *)cmd + sizeof(*cmd);
1467-
if (cmd_sz > sizeof(*cmd))
1468-
if (!(buf[0] == 0 && !memcmp(buf, buf + 1,
1469-
cmd_sz - sizeof(*cmd) - 1))) {
1470-
ret = -EINVAL;
1471-
goto err_put;
1472-
}
1473-
14741455
if (cmd->qp_type == IB_QPT_XRC_TGT)
14751456
qp = ib_create_qp(pd, &attr);
14761457
else
@@ -1594,8 +1575,7 @@ static int ib_uverbs_create_qp(struct uverbs_attr_bundle *attrs,
15941575
cmd_ex.qp_type = cmd.qp_type;
15951576
cmd_ex.is_srq = cmd.is_srq;
15961577

1597-
return create_qp(attrs, &cmd_ex,
1598-
offsetof(typeof(cmd_ex), is_srq) + sizeof(cmd.is_srq));
1578+
return create_qp(attrs, &cmd_ex);
15991579
}
16001580

16011581
static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
@@ -1614,7 +1594,7 @@ static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
16141594
if (cmd.reserved)
16151595
return -EINVAL;
16161596

1617-
return create_qp(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
1597+
return create_qp(attrs, &cmd);
16181598
}
16191599

16201600
static int ib_uverbs_open_qp(struct uverbs_attr_bundle *attrs,

0 commit comments

Comments
 (0)