diff options
| author | Adit Ranadive <aditr@vmware.com> | 2018-02-15 15:36:46 -0500 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@mellanox.com> | 2018-02-15 17:31:28 -0500 |
| commit | 1f5a6c47aabc4606f91ad2e6ef71a1ff1924101c (patch) | |
| tree | 32702e16752acbfb40b5cc00df09c1685039cece | |
| parent | 5d4c05c3ee36f67ddc107ab5ea0898af01a62cc1 (diff) | |
RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file
This ensures that we return the right structures back to userspace.
Otherwise, it looks like the reserved fields in the response structures
in userspace might have uninitialized data in them.
Fixes: 8b10ba783c9d ("RDMA/vmw_pvrdma: Add shared receive queue support")
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Bryan Tan <bryantan@vmware.com>
Reviewed-by: Aditya Sarwade <asarwade@vmware.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Adit Ranadive <aditr@vmware.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
| -rw-r--r-- | drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c | 4 | ||||
| -rw-r--r-- | drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c | 4 | ||||
| -rw-r--r-- | drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | 4 |
3 files changed, 9 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c index faa9478c14a6..f95b97646c25 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c | |||
| @@ -114,6 +114,7 @@ struct ib_cq *pvrdma_create_cq(struct ib_device *ibdev, | |||
| 114 | union pvrdma_cmd_resp rsp; | 114 | union pvrdma_cmd_resp rsp; |
| 115 | struct pvrdma_cmd_create_cq *cmd = &req.create_cq; | 115 | struct pvrdma_cmd_create_cq *cmd = &req.create_cq; |
| 116 | struct pvrdma_cmd_create_cq_resp *resp = &rsp.create_cq_resp; | 116 | struct pvrdma_cmd_create_cq_resp *resp = &rsp.create_cq_resp; |
| 117 | struct pvrdma_create_cq_resp cq_resp = {0}; | ||
| 117 | struct pvrdma_create_cq ucmd; | 118 | struct pvrdma_create_cq ucmd; |
| 118 | 119 | ||
| 119 | BUILD_BUG_ON(sizeof(struct pvrdma_cqe) != 64); | 120 | BUILD_BUG_ON(sizeof(struct pvrdma_cqe) != 64); |
| @@ -197,6 +198,7 @@ struct ib_cq *pvrdma_create_cq(struct ib_device *ibdev, | |||
| 197 | 198 | ||
| 198 | cq->ibcq.cqe = resp->cqe; | 199 | cq->ibcq.cqe = resp->cqe; |
| 199 | cq->cq_handle = resp->cq_handle; | 200 | cq->cq_handle = resp->cq_handle; |
| 201 | cq_resp.cqn = resp->cq_handle; | ||
| 200 | spin_lock_irqsave(&dev->cq_tbl_lock, flags); | 202 | spin_lock_irqsave(&dev->cq_tbl_lock, flags); |
| 201 | dev->cq_tbl[cq->cq_handle % dev->dsr->caps.max_cq] = cq; | 203 | dev->cq_tbl[cq->cq_handle % dev->dsr->caps.max_cq] = cq; |
| 202 | spin_unlock_irqrestore(&dev->cq_tbl_lock, flags); | 204 | spin_unlock_irqrestore(&dev->cq_tbl_lock, flags); |
| @@ -205,7 +207,7 @@ struct ib_cq *pvrdma_create_cq(struct ib_device *ibdev, | |||
| 205 | cq->uar = &(to_vucontext(context)->uar); | 207 | cq->uar = &(to_vucontext(context)->uar); |
| 206 | 208 | ||
| 207 | /* Copy udata back. */ | 209 | /* Copy udata back. */ |
| 208 | if (ib_copy_to_udata(udata, &cq->cq_handle, sizeof(__u32))) { | 210 | if (ib_copy_to_udata(udata, &cq_resp, sizeof(cq_resp))) { |
| 209 | dev_warn(&dev->pdev->dev, | 211 | dev_warn(&dev->pdev->dev, |
| 210 | "failed to copy back udata\n"); | 212 | "failed to copy back udata\n"); |
| 211 | pvrdma_destroy_cq(&cq->ibcq); | 213 | pvrdma_destroy_cq(&cq->ibcq); |
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c index 5acebb1ef631..af235967a9c2 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c | |||
| @@ -113,6 +113,7 @@ struct ib_srq *pvrdma_create_srq(struct ib_pd *pd, | |||
| 113 | union pvrdma_cmd_resp rsp; | 113 | union pvrdma_cmd_resp rsp; |
| 114 | struct pvrdma_cmd_create_srq *cmd = &req.create_srq; | 114 | struct pvrdma_cmd_create_srq *cmd = &req.create_srq; |
| 115 | struct pvrdma_cmd_create_srq_resp *resp = &rsp.create_srq_resp; | 115 | struct pvrdma_cmd_create_srq_resp *resp = &rsp.create_srq_resp; |
| 116 | struct pvrdma_create_srq_resp srq_resp = {0}; | ||
| 116 | struct pvrdma_create_srq ucmd; | 117 | struct pvrdma_create_srq ucmd; |
| 117 | unsigned long flags; | 118 | unsigned long flags; |
| 118 | int ret; | 119 | int ret; |
| @@ -204,12 +205,13 @@ struct ib_srq *pvrdma_create_srq(struct ib_pd *pd, | |||
| 204 | } | 205 | } |
| 205 | 206 | ||
| 206 | srq->srq_handle = resp->srqn; | 207 | srq->srq_handle = resp->srqn; |
| 208 | srq_resp.srqn = resp->srqn; | ||
| 207 | spin_lock_irqsave(&dev->srq_tbl_lock, flags); | 209 | spin_lock_irqsave(&dev->srq_tbl_lock, flags); |
| 208 | dev->srq_tbl[srq->srq_handle % dev->dsr->caps.max_srq] = srq; | 210 | dev->srq_tbl[srq->srq_handle % dev->dsr->caps.max_srq] = srq; |
| 209 | spin_unlock_irqrestore(&dev->srq_tbl_lock, flags); | 211 | spin_unlock_irqrestore(&dev->srq_tbl_lock, flags); |
| 210 | 212 | ||
| 211 | /* Copy udata back. */ | 213 | /* Copy udata back. */ |
| 212 | if (ib_copy_to_udata(udata, &srq->srq_handle, sizeof(__u32))) { | 214 | if (ib_copy_to_udata(udata, &srq_resp, sizeof(srq_resp))) { |
| 213 | dev_warn(&dev->pdev->dev, "failed to copy back udata\n"); | 215 | dev_warn(&dev->pdev->dev, "failed to copy back udata\n"); |
| 214 | pvrdma_destroy_srq(&srq->ibsrq); | 216 | pvrdma_destroy_srq(&srq->ibsrq); |
| 215 | return ERR_PTR(-EINVAL); | 217 | return ERR_PTR(-EINVAL); |
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c index 16b96616ef7e..a51463cd2f37 100644 --- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c +++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c | |||
| @@ -447,6 +447,7 @@ struct ib_pd *pvrdma_alloc_pd(struct ib_device *ibdev, | |||
| 447 | union pvrdma_cmd_resp rsp; | 447 | union pvrdma_cmd_resp rsp; |
| 448 | struct pvrdma_cmd_create_pd *cmd = &req.create_pd; | 448 | struct pvrdma_cmd_create_pd *cmd = &req.create_pd; |
| 449 | struct pvrdma_cmd_create_pd_resp *resp = &rsp.create_pd_resp; | 449 | struct pvrdma_cmd_create_pd_resp *resp = &rsp.create_pd_resp; |
| 450 | struct pvrdma_alloc_pd_resp pd_resp = {0}; | ||
| 450 | int ret; | 451 | int ret; |
| 451 | void *ptr; | 452 | void *ptr; |
| 452 | 453 | ||
| @@ -475,9 +476,10 @@ struct ib_pd *pvrdma_alloc_pd(struct ib_device *ibdev, | |||
| 475 | pd->privileged = !context; | 476 | pd->privileged = !context; |
| 476 | pd->pd_handle = resp->pd_handle; | 477 | pd->pd_handle = resp->pd_handle; |
| 477 | pd->pdn = resp->pd_handle; | 478 | pd->pdn = resp->pd_handle; |
| 479 | pd_resp.pdn = resp->pd_handle; | ||
| 478 | 480 | ||
| 479 | if (context) { | 481 | if (context) { |
| 480 | if (ib_copy_to_udata(udata, &pd->pdn, sizeof(__u32))) { | 482 | if (ib_copy_to_udata(udata, &pd_resp, sizeof(pd_resp))) { |
| 481 | dev_warn(&dev->pdev->dev, | 483 | dev_warn(&dev->pdev->dev, |
| 482 | "failed to copy back protection domain\n"); | 484 | "failed to copy back protection domain\n"); |
| 483 | pvrdma_dealloc_pd(&pd->ibpd); | 485 | pvrdma_dealloc_pd(&pd->ibpd); |