aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAmrani, Ram <Ram.Amrani@cavium.com>2017-06-26 12:05:04 -0400
committerDoug Ledford <dledford@redhat.com>2017-07-20 11:20:50 -0400
commitc75d3ec8c0ee469de79ae83c1a827d753603e49f (patch)
tree49ac00312ed0d4af72a8254e95baa98450f3c089
parent720336c42e41a917002fcae3aa14e30f5022bbb7 (diff)
RDMA/qedr: Prevent memory overrun in verbs' user responses
Wrap ib_copy_to_udata with a function that ensures that the data being copied over to user space isn't longer than the allowed. Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") Fixes: a7efd7773e31 ("qedr: Add support for PD,PKEY and CQ verbs") Fixes: ac1b36e55a51 ("qedr: Add support for user context verbs") Signed-off-by: Ram Amrani <Ram.Amrani@cavium.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat
-rw-r--r--drivers/infiniband/hw/qedr/verbs.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
index 548e4d1e998f..2ae71b8f1ba8 100644
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -53,6 +53,14 @@
53 53
54#define DB_ADDR_SHIFT(addr) ((addr) << DB_PWM_ADDR_OFFSET_SHIFT) 54#define DB_ADDR_SHIFT(addr) ((addr) << DB_PWM_ADDR_OFFSET_SHIFT)
55 55
56static inline int qedr_ib_copy_to_udata(struct ib_udata *udata, void *src,
57 size_t len)
58{
59 size_t min_len = min_t(size_t, len, udata->outlen);
60
61 return ib_copy_to_udata(udata, src, min_len);
62}
63
56int qedr_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey) 64int qedr_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey)
57{ 65{
58 if (index > QEDR_ROCE_PKEY_TABLE_LEN) 66 if (index > QEDR_ROCE_PKEY_TABLE_LEN)
@@ -378,7 +386,7 @@ struct ib_ucontext *qedr_alloc_ucontext(struct ib_device *ibdev,
378 uresp.sges_per_srq_wr = dev->attr.max_srq_sge; 386 uresp.sges_per_srq_wr = dev->attr.max_srq_sge;
379 uresp.max_cqes = QEDR_MAX_CQES; 387 uresp.max_cqes = QEDR_MAX_CQES;
380 388
381 rc = ib_copy_to_udata(udata, &uresp, sizeof(uresp)); 389 rc = qedr_ib_copy_to_udata(udata, &uresp, sizeof(uresp));
382 if (rc) 390 if (rc)
383 goto err; 391 goto err;
384 392
@@ -499,7 +507,7 @@ struct ib_pd *qedr_alloc_pd(struct ib_device *ibdev,
499 507
500 uresp.pd_id = pd_id; 508 uresp.pd_id = pd_id;
501 509
502 rc = ib_copy_to_udata(udata, &uresp, sizeof(uresp)); 510 rc = qedr_ib_copy_to_udata(udata, &uresp, sizeof(uresp));
503 if (rc) { 511 if (rc) {
504 DP_ERR(dev, "copy error pd_id=0x%x.\n", pd_id); 512 DP_ERR(dev, "copy error pd_id=0x%x.\n", pd_id);
505 dev->ops->rdma_dealloc_pd(dev->rdma_ctx, pd_id); 513 dev->ops->rdma_dealloc_pd(dev->rdma_ctx, pd_id);
@@ -729,7 +737,7 @@ static int qedr_copy_cq_uresp(struct qedr_dev *dev,
729 uresp.db_offset = DB_ADDR_SHIFT(DQ_PWM_OFFSET_UCM_RDMA_CQ_CONS_32BIT); 737 uresp.db_offset = DB_ADDR_SHIFT(DQ_PWM_OFFSET_UCM_RDMA_CQ_CONS_32BIT);
730 uresp.icid = cq->icid; 738 uresp.icid = cq->icid;
731 739
732 rc = ib_copy_to_udata(udata, &uresp, sizeof(uresp)); 740 rc = qedr_ib_copy_to_udata(udata, &uresp, sizeof(uresp));
733 if (rc) 741 if (rc)
734 DP_ERR(dev, "copy error cqid=0x%x.\n", cq->icid); 742 DP_ERR(dev, "copy error cqid=0x%x.\n", cq->icid);
735 743
@@ -1238,7 +1246,7 @@ static int qedr_copy_qp_uresp(struct qedr_dev *dev,
1238 uresp.atomic_supported = dev->atomic_cap != IB_ATOMIC_NONE; 1246 uresp.atomic_supported = dev->atomic_cap != IB_ATOMIC_NONE;
1239 uresp.qp_id = qp->qp_id; 1247 uresp.qp_id = qp->qp_id;
1240 1248
1241 rc = ib_copy_to_udata(udata, &uresp, sizeof(uresp)); 1249 rc = qedr_ib_copy_to_udata(udata, &uresp, sizeof(uresp));
1242 if (rc) 1250 if (rc)
1243 DP_ERR(dev, 1251 DP_ERR(dev,
1244 "create qp: failed a copy to user space with qp icid=0x%x.\n", 1252 "create qp: failed a copy to user space with qp icid=0x%x.\n",
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-04 16:12:45 -0400