RDMA/bnxt_re: Add compatibility checks to the uapi path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Check that the driver data is properly sized and properly zeroed by
calling ib_copy_validate_udata_in().

Use git history to find the commit introducing each req struct and use
that to select the end member.

Link: https://patch.msgid.link/r/8-v3-bd56dd443069+49-bnxt_re_uapi_jgg@nvidia.com
Tested-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Acked-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Jason Gunthorpe 3 months ago b33d860a 5ebe8832

+16 -13

1 changed file

expand all

drivers

infiniband

bnxt_re

ib_verbs.c

+16 -13

drivers/infiniband/hw/bnxt_re/ib_verbs.c

··· 1671 1671 qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); 1672 1672 1673 1673 uctx = rdma_udata_to_drv_context(udata, struct bnxt_re_ucontext, ib_uctx); 1674 - if (udata) 1675 - if (ib_copy_from_udata(&ureq, udata, min(udata->inlen, sizeof(ureq)))) 1676 - return -EFAULT; 1674 + if (udata) { 1675 + rc = ib_copy_validate_udata_in(udata, ureq, qp_handle); 1676 + if (rc) 1677 + return rc; 1678 + } 1677 1679 1678 1680 rc = bnxt_re_test_qp_limits(rdev, qp_init_attr, dev_attr); 1679 1681 if (!rc) { ··· 1865 1863 int bytes = 0; 1866 1864 struct bnxt_re_ucontext *cntx = rdma_udata_to_drv_context( 1867 1865 udata, struct bnxt_re_ucontext, ib_uctx); 1866 + int rc; 1868 1867 1869 - if (ib_copy_from_udata(&ureq, udata, sizeof(ureq))) 1870 - return -EFAULT; 1868 + rc = ib_copy_validate_udata_in(udata, ureq, srq_handle); 1869 + if (rc) 1870 + return rc; 1871 1871 1872 1872 bytes = (qplib_srq->max_wqe * qplib_srq->wqe_size); 1873 1873 bytes = PAGE_ALIGN(bytes); ··· 3181 3177 cq->qplib_cq.sg_info.pgshft = PAGE_SHIFT; 3182 3178 if (udata) { 3183 3179 struct bnxt_re_cq_req req; 3184 - if (ib_copy_from_udata(&req, udata, sizeof(req))) { 3185 - rc = -EFAULT; 3180 + 3181 + rc = ib_copy_validate_udata_in(udata, req, cq_handle); 3182 + if (rc) 3186 3183 goto fail; 3187 - } 3188 3184 3189 3185 cq->umem = ib_umem_get(&rdev->ibdev, req.cq_va, 3190 3186 entries * sizeof(struct cq_base), ··· 3313 3309 entries = dev_attr->max_cq_wqes + 1; 3314 3310 3315 3311 /* uverbs consumer */ 3316 - if (ib_copy_from_udata(&req, udata, sizeof(req))) { 3317 - rc = -EFAULT; 3312 + rc = ib_copy_validate_udata_in(udata, req, cq_va); 3313 + if (rc) 3318 3314 goto fail; 3319 - } 3320 3315 3321 3316 cq->resize_umem = ib_umem_get(&rdev->ibdev, req.cq_va, 3322 3317 entries * sizeof(struct cq_base), ··· 4417 4414 if (_is_modify_qp_rate_limit_supported(dev_attr->dev_cap_flags2)) 4418 4415 resp.comp_mask |= BNXT_RE_UCNTX_CMASK_QP_RATE_LIMIT_ENABLED; 4419 4416 4420 - if (udata->inlen >= sizeof(ureq)) { 4421 - rc = ib_copy_from_udata(&ureq, udata, min(udata->inlen, sizeof(ureq))); 4417 + if (udata->inlen) { 4418 + rc = ib_copy_validate_udata_in(udata, ureq, comp_mask); 4422 4419 if (rc) 4423 4420 goto cfail; 4424 4421 if (ureq.comp_mask & BNXT_RE_COMP_MASK_REQ_UCNTX_POW2_SUPPORT) {

Configure Feed

Configure Feed