forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

RDMA/core: Sanitize WQ state received from the userspace

Browse source 
[ Upstream commit f974428872 ]

The mlx4 and mlx5 implemented differently the WQ input checks.  Instead of
duplicating mlx4 logic in the mlx5, let's prepare the input in the central
place.

The mlx5 implementation didn't check for validity of state input.  It is
not real bug because our FW checked that, but still worth to fix.

Fixes: f213c05272 ("IB/uverbs: Add WQ support")
Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com
Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Leon Romanovsky 2021-05-19 11:37:31 +03:00 committed by Greg Kroah-Hartman
commit 42800fcff3
3 changed files with 23 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

21
drivers/infiniband/core/uverbs_cmd.c
View file

@ -3000,12 +3000,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
if (!wq)
return -EINVAL;
wq_attr.curr_wq_state = cmd.curr_wq_state;
wq_attr.wq_state = cmd.wq_state;
if (cmd.attr_mask & IB_WQ_FLAGS) {
wq_attr.flags = cmd.flags;
wq_attr.flags_mask = cmd.flags_mask;
}
if (cmd.attr_mask & IB_WQ_CUR_STATE) {
if (cmd.curr_wq_state > IB_WQS_ERR)
return -EINVAL;
wq_attr.curr_wq_state = cmd.curr_wq_state;
} else {
wq_attr.curr_wq_state = wq->state;
}
if (cmd.attr_mask & IB_WQ_STATE) {
if (cmd.wq_state > IB_WQS_ERR)
return -EINVAL;
wq_attr.wq_state = cmd.wq_state;
} else {
wq_attr.wq_state = wq_attr.curr_wq_state;
}
ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
&attrs->driver_udata);
rdma_lookup_put_uobject(&wq->uobject->uevent.uobject,

9
drivers/infiniband/hw/mlx4/qp.c
View file

@ -4244,13 +4244,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
if (wq_attr_mask & IB_WQ_FLAGS)
return -EOPNOTSUPP;
cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state :
ibwq->state;
new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR ||
new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
return -EINVAL;
cur_state = wq_attr->curr_wq_state;
new_state = wq_attr->wq_state;
if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
return -EINVAL;

6
drivers/infiniband/hw/mlx5/qp.c
View file

@ -5236,10 +5236,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ?
wq_attr->curr_wq_state : wq->state;
wq_state = (wq_attr_mask & IB_WQ_STATE) ?
wq_attr->wq_state : curr_wq_state;
curr_wq_state = wq_attr->curr_wq_state;
wq_state = wq_attr->wq_state;
if (curr_wq_state == IB_WQS_ERR)
curr_wq_state = MLX5_RQC_STATE_ERR;
if (wq_state == IB_WQS_ERR)