diff options
Diffstat (limited to 'drivers/infiniband/core/uverbs_main.c')
| -rw-r--r-- | drivers/infiniband/core/uverbs_main.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c index 34386943ebcf..08219fb3338b 100644 --- a/drivers/infiniband/core/uverbs_main.c +++ b/drivers/infiniband/core/uverbs_main.c | |||
| @@ -668,25 +668,30 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf, | |||
| 668 | if ((hdr.in_words + ex_hdr.provider_in_words) * 8 != count) | 668 | if ((hdr.in_words + ex_hdr.provider_in_words) * 8 != count) |
| 669 | return -EINVAL; | 669 | return -EINVAL; |
| 670 | 670 | ||
| 671 | if (ex_hdr.cmd_hdr_reserved) | ||
| 672 | return -EINVAL; | ||
| 673 | |||
| 671 | if (ex_hdr.response) { | 674 | if (ex_hdr.response) { |
| 672 | if (!hdr.out_words && !ex_hdr.provider_out_words) | 675 | if (!hdr.out_words && !ex_hdr.provider_out_words) |
| 673 | return -EINVAL; | 676 | return -EINVAL; |
| 677 | |||
| 678 | if (!access_ok(VERIFY_WRITE, | ||
| 679 | (void __user *) (unsigned long) ex_hdr.response, | ||
| 680 | (hdr.out_words + ex_hdr.provider_out_words) * 8)) | ||
| 681 | return -EFAULT; | ||
| 674 | } else { | 682 | } else { |
| 675 | if (hdr.out_words || ex_hdr.provider_out_words) | 683 | if (hdr.out_words || ex_hdr.provider_out_words) |
| 676 | return -EINVAL; | 684 | return -EINVAL; |
| 677 | } | 685 | } |
| 678 | 686 | ||
| 679 | INIT_UDATA(&ucore, | 687 | INIT_UDATA_BUF_OR_NULL(&ucore, buf, (unsigned long) ex_hdr.response, |
| 680 | (hdr.in_words) ? buf : 0, | 688 | hdr.in_words * 8, hdr.out_words * 8); |
| 681 | (unsigned long)ex_hdr.response, | 689 | |
| 682 | hdr.in_words * 8, | 690 | INIT_UDATA_BUF_OR_NULL(&uhw, |
| 683 | hdr.out_words * 8); | 691 | buf + ucore.inlen, |
| 684 | 692 | (unsigned long) ex_hdr.response + ucore.outlen, | |
| 685 | INIT_UDATA(&uhw, | 693 | ex_hdr.provider_in_words * 8, |
| 686 | (ex_hdr.provider_in_words) ? buf + ucore.inlen : 0, | 694 | ex_hdr.provider_out_words * 8); |
| 687 | (ex_hdr.provider_out_words) ? (unsigned long)ex_hdr.response + ucore.outlen : 0, | ||
| 688 | ex_hdr.provider_in_words * 8, | ||
| 689 | ex_hdr.provider_out_words * 8); | ||
| 690 | 695 | ||
| 691 | err = uverbs_ex_cmd_table[command](file, | 696 | err = uverbs_ex_cmd_table[command](file, |
| 692 | &ucore, | 697 | &ucore, |