Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3320791imu; Sun, 11 Nov 2018 12:18:30 -0800 (PST) X-Google-Smtp-Source: AJdET5cbIemLxbsIRAZDpyDr1W8XIWb0nS2Ut+B3IHSOV+lxXGHjHMTyLqYKUlBhxrZlmcWqAzQI X-Received: by 2002:a65:4946:: with SMTP id q6mr7843644pgs.201.1541967510603; Sun, 11 Nov 2018 12:18:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541967510; cv=none; d=google.com; s=arc-20160816; b=E3qU0Blte7gIPMgTfBODAc3HYAkhZTYjPAia+xFVLKTpkv4v9W872hO6U9B2fIghaE IbKkPWKHb8E0bji5hEFMcodlcPGA8PMUWHwvfeKH5oGxpJ3V7mfc6nCS6v6AzR5yBvl6 pJJ9BjWpQ8bZqCgIR8JvIGS69DjKOw7EMZ05VUUF3yzqF/rInxo9SyCp/uRp/0ENYcIO Tr8TZy3GBipN54VNxhzQ3HGPgNN3Bn1f+SuB+Er3ZTc3tF0CPtHZkwFe4AiJc/hkPaZ9 qTJyiWv+RjvLf4cOJ3I7TSurejAgbYOp7UIcDNgvuLmruDyqD/PgXSKfyVSxccs0+vSc Bt2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=aSKmmUTSs71ARG9KIaisN4EhoTxZWZTLRDmAIOCTlCQ=; b=YZMOqjRboZj384/cXC7WnZE2uUzezZjZWqyWIBVjIGkTx0/eaga/Dg58Nae181CgvJ wpsG80tHqut1NwBd1s340WzDKVkjn2mm27PGKI0X2XY4a4vdEew8EhPrCsHJ7o/PEyUa YfxCf0tN2RYCtAZ5J3auystsRXFbulSCyqL/cJ9rQs8RPiutW/yXCoNg+lQQzElwDnDR bfXMb/Mp+ueuMZ8CtGlz1WkdN+XdWZRBXQZf7rTZDklySQ1CjFjK866h2Ce1hcBnyEJp Gg58w7gIuq+q+c7v4AhAXNhxkRAwkT9uVQo5c/ct0qwnTvc8h9nCRC4k47to8xDsETSx UMcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n5-v6si15792986pfb.88.2018.11.11.12.18.15; Sun, 11 Nov 2018 12:18:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731951AbeKLGGN (ORCPT + 99 others); Mon, 12 Nov 2018 01:06:13 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:53206 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730491AbeKLGGM (ORCPT ); Mon, 12 Nov 2018 01:06:12 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvst-0000l5-Jm; Sun, 11 Nov 2018 19:59:03 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsV-0001fd-D1; Sun, 11 Nov 2018 19:58:39 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Jason Gunthorpe" , "Leon Romanovsky" , "Ran Rozenstein" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit fe48aecb4df837540f13b5216f27ddb306aaf4b9 upstream. The conversion from offsetof() calculations to sizeof() wrongly behaved for missed exact size and in scenario with more than one flow. In such scenario we got "create flow failed, flow 10: 8 bytes left from uverb cmd" error, which is wrong because the size of kern_spec is exactly 8 bytes, and we were not supposed to fail. Fixes: 4fae7f170416 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow") Reported-by: Ran Rozenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Ben Hutchings --- drivers/infiniband/core/uverbs_cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2761,7 +2761,7 @@ int ib_uverbs_ex_create_flow(struct ib_u kern_spec = kern_flow_attr->flow_specs; ib_spec = flow_attr + 1; for (i = 0; i < flow_attr->num_of_specs && - cmd.flow_attr.size > sizeof(*kern_spec) && + cmd.flow_attr.size >= sizeof(*kern_spec) && cmd.flow_attr.size >= kern_spec->size; i++) { err = kern_spec_to_ib_spec(