tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

RDMA/hns: Remove the duplicate calls to ib_copy_validate_udata_in()

A udata should be read only once per ioctl, not multiple times.
Multiple reads make it unclear what the content is since userspace can
change it between the reads.

Lift the ib_copy_validate_udata_in() out of
alloc_srq_buf()/alloc_srq_db() and into hns_roce_create_srq().

Found by AI.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>

authored by

Jason Gunthorpe and committed by
Leon Romanovsky fdcbddcd 8e3e07cc

+16 -19
+16 -19
drivers/infiniband/hw/hns/hns_roce_srq.c
··· 340 340 } 341 341 342 342 static int alloc_srq_buf(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq, 343 - struct ib_udata *udata) 343 + struct ib_udata *udata, 344 + struct hns_roce_ib_create_srq *ucmd) 344 345 { 345 - struct hns_roce_ib_create_srq ucmd = {}; 346 346 int ret; 347 347 348 - if (udata) { 349 - ret = ib_copy_validate_udata_in(udata, ucmd, que_addr); 350 - if (ret) 351 - return ret; 352 - } 353 - 354 - ret = alloc_srq_idx(hr_dev, srq, udata, ucmd.que_addr); 348 + ret = alloc_srq_idx(hr_dev, srq, udata, ucmd->que_addr); 355 349 if (ret) 356 350 return ret; 357 351 358 - ret = alloc_srq_wqe_buf(hr_dev, srq, udata, ucmd.buf_addr); 352 + ret = alloc_srq_wqe_buf(hr_dev, srq, udata, ucmd->buf_addr); 359 353 if (ret) 360 354 goto err_idx; 361 355 ··· 398 404 399 405 static int alloc_srq_db(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq, 400 406 struct ib_udata *udata, 407 + struct hns_roce_ib_create_srq *ucmd, 401 408 struct hns_roce_ib_create_srq_resp *resp) 402 409 { 403 - struct hns_roce_ib_create_srq ucmd; 404 410 struct hns_roce_ucontext *uctx; 405 411 int ret; 406 412 407 413 if (udata) { 408 - ret = ib_copy_validate_udata_in(udata, ucmd, que_addr); 409 - if (ret) 410 - return ret; 411 - 412 414 if ((hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_SRQ_RECORD_DB) && 413 - (ucmd.req_cap_flags & HNS_ROCE_SRQ_CAP_RECORD_DB)) { 415 + (ucmd->req_cap_flags & HNS_ROCE_SRQ_CAP_RECORD_DB)) { 414 416 uctx = rdma_udata_to_drv_context(udata, 415 417 struct hns_roce_ucontext, ibucontext); 416 - ret = hns_roce_db_map_user(uctx, ucmd.db_addr, 418 + ret = hns_roce_db_map_user(uctx, ucmd->db_addr, 417 419 &srq->rdb); 418 420 if (ret) 419 421 return ret; ··· 438 448 struct hns_roce_dev *hr_dev = to_hr_dev(ib_srq->device); 439 449 struct hns_roce_ib_create_srq_resp resp = {}; 440 450 struct hns_roce_srq *srq = to_hr_srq(ib_srq); 451 + struct hns_roce_ib_create_srq ucmd = {}; 441 452 int ret; 442 453 443 454 mutex_init(&srq->mutex); ··· 448 457 if (ret) 449 458 goto err_out; 450 459 451 - ret = alloc_srq_buf(hr_dev, srq, udata); 460 + if (udata) { 461 + ret = ib_copy_validate_udata_in(udata, ucmd, que_addr); 462 + if (ret) 463 + goto err_out; 464 + } 465 + 466 + ret = alloc_srq_buf(hr_dev, srq, udata, &ucmd); 452 467 if (ret) 453 468 goto err_out; 454 469 455 - ret = alloc_srq_db(hr_dev, srq, udata, &resp); 470 + ret = alloc_srq_db(hr_dev, srq, udata, &ucmd, &resp); 456 471 if (ret) 457 472 goto err_srq_buf; 458 473