Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1673603pxj; Wed, 19 May 2021 11:09:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOq6IGaKQnspw2mNSw65fMx00sJztYApGyRdBntT8K9AiGo/jJlkvw8hotRxh6wPPDpkDc X-Received: by 2002:a05:6402:128d:: with SMTP id w13mr304099edv.253.1621447764372; Wed, 19 May 2021 11:09:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621447764; cv=none; d=google.com; s=arc-20160816; b=eIwDSTPdDrJ7D3LMYoH1sVqkgqJB9THmF1CbAwc/gcO8H51yhEhe6uwSdk7b1BlOWa IXxYsQYO4qoi8WBlobFF8u6v4WyoHXTh63cR9VpWya8KP+tTm3fT5VJjqA+J8sBhJ4c4 TPepoBljn2QYGJ19Adc9tBFeQ5Cxam1Vderg8kyb8C1tBp/vB8JbcoTrDjvPaW43zJ7L wcdzdgsWN9DkjdUAtS++dLwZrin05l0FQF6X+qhWxQPlG1qfmwrAO9ekd7zC0HxRRakL Zc2+0bPhDtDkIUvjBoac8vCvTFP6WL8ogJX+GYCDOOfpdWfkvn18vrE5WhxeGLKqdMqD tjeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=rlJ6APxuRnbHc6k8p5IAgdxVl6kc2YOnoGKLVwNM1Xk=; b=ZtRrNOfDP++0dYRU6vYl6jgkxGnE1aztCnV6ihgAHaTqDfFP/SljVpKAfO591AcYvF 37gFEj7hS/mjzRyzObA1oE2gmptrjO9BAiCtuBzm1i0QEjRmvaTiT9cGfFdg+B4a/+6A G26SFHYV87TAUBOBnZ/nuKXmE9n8ykL/ULZLSuCUnmTupjiN4ygWBeHDYnMC1xifKVhS s3CCkYwsyoybyFzw5Lspk2Sc1TUlvPrizal5c/7Cm2uXtrdtl4nutSCUKnuDsWYObsYv hm0uppq2roDnTgLcNOkGO6r2BMLeHvcCYcJpq2r51ZUCjh5XdZFPdLtvAR/h2k6m+5cD bxLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VrL9blY5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m22si337409ejc.115.2021.05.19.11.09.00; Wed, 19 May 2021 11:09:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VrL9blY5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231363AbhERM7t (ORCPT + 99 others); Tue, 18 May 2021 08:59:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:35770 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231321AbhERM7q (ORCPT ); Tue, 18 May 2021 08:59:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1E1C161209; Tue, 18 May 2021 12:58:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1621342707; bh=LQFd09DPHFoiTAJ6RyTPtmww1669WUG99d7WakSDwvE=; h=From:To:Cc:Subject:Date:From; b=VrL9blY5J0hugASdnBFG7pupWqUqDZQr/bKsLCSVbmKwlyCBosRVUWAiX90DAnN2O RQZgonP0vJcbyG0L/iugU+J+QsgKFwwHRHwv+x4POv7WP50clcUX4Q/gOmV1voxDcY ipjhsCeXM5Io4YuOzRi02EzTDLO9H2QXUNMpI3lNcT+7CZNO4qZmFOkcqaqQYEPygF +T8sYJqPGu/ukJ8Fe8el2UbM6LUyqG9UitdaA8aLTATlOEsZJ+HuHFcbXvm+GVlYW5 4Ci9ACD0sESdR7modiucrDNo+OcBEMPrkQK+fu879Z1jSrxk2R+vvnWV3egy/CLOrR vcXaz2s8BSucQ== From: Leon Romanovsky To: Doug Ledford , Jason Gunthorpe Cc: Leon Romanovsky , Jiapeng Chong , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, Yishai Hadas Subject: [PATCH rdma-rc v1] RDMA/core: Sanitize WQ state received from the userspace Date: Tue, 18 May 2021 15:58:21 +0300 Message-Id: <0433d8013ed3a2ffdd145244651a5edb2afbd75b.1621342527.git.leonro@nvidia.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leon Romanovsky The mlx4 and mlx5 implemented differently the WQ input checks. Instead of duplicating mlx4 logic in the mlx5, let's prepare the input in the central place. Fixes: f213c0527210 ("IB/uverbs: Add WQ support") Reported-by: Jiapeng Chong Signed-off-by: Leon Romanovsky --- Changelog: v1: * Removed IB_WQS_RESET state checks because it is zero and wq states declared as u32, so can't be less than IB_WQS_RESET. v0: https://lore.kernel.org/lkml/932f87b48c07278730c3c760b3a707d6a984b524.1621332736.git.leonro@nvidia.com --- drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++-- drivers/infiniband/hw/mlx4/qp.c | 9 ++------- drivers/infiniband/hw/mlx5/qp.c | 6 ++---- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 4f890bff80f8..c6f53d894411 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3084,12 +3084,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs) if (!wq) return -EINVAL; - wq_attr.curr_wq_state = cmd.curr_wq_state; - wq_attr.wq_state = cmd.wq_state; if (cmd.attr_mask & IB_WQ_FLAGS) { wq_attr.flags = cmd.flags; wq_attr.flags_mask = cmd.flags_mask; } + + if (cmd.attr_mask & IB_WQ_CUR_STATE) { + if (cmd.curr_wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.curr_wq_state = cmd.curr_wq_state; + } else { + wq_attr.curr_wq_state = wq->state; + } + + if (cmd.attr_mask & IB_WQ_STATE) { + if (cmd.wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.wq_state = cmd.wq_state; + } else { + wq_attr.wq_state = wq_attr.curr_wq_state; + } + ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask, &attrs->driver_udata); rdma_lookup_put_uobject(&wq->uobject->uevent.uobject, diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 92ddbcc00eb2..2ae22bf50016 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, if (wq_attr_mask & IB_WQ_FLAGS) return -EOPNOTSUPP; - cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state : - ibwq->state; - new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state; - - if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR || - new_state < IB_WQS_RESET || new_state > IB_WQS_ERR) - return -EINVAL; + cur_state = wq_attr->curr_wq_state; + new_state = wq_attr->wq_state; if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR)) return -EINVAL; diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index d984b451c379..becd250388af 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -5483,10 +5483,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx); - curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ? - wq_attr->curr_wq_state : wq->state; - wq_state = (wq_attr_mask & IB_WQ_STATE) ? - wq_attr->wq_state : curr_wq_state; + curr_wq_state = wq_attr->curr_wq_state; + wq_state = wq_attr->wq_state; if (curr_wq_state == IB_WQS_ERR) curr_wq_state = MLX5_RQC_STATE_ERR; if (wq_state == IB_WQS_ERR) -- 2.31.1