Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2709714pxv; Sun, 11 Jul 2021 23:26:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZUisHHOb0YEUN1mMOPAbxo8vU9eA0epghR5MkAVH2aeHZmgIDdSUqpTTXkXs9W8q+8or4 X-Received: by 2002:a92:ddc3:: with SMTP id d3mr37985573ilr.190.1626071183774; Sun, 11 Jul 2021 23:26:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626071183; cv=none; d=google.com; s=arc-20160816; b=aWWBdkDklWJNLSu1O/cPNg4slEwSGH8duJNuKw3nLRiCk4W2u9wPWwUF/z/W1mVrY8 zWM+H9OwW5jukYruVQ0FWBlMgQDLSlAEMFJa+tsfzjUtwNmlCWjPKBJSq+w/uX0etYpY a6K5TsjWz+tWuh9lo+NjJi7epKzgwtd/oZk+dFIzmRhDKtUVmwHjeuj52FbltWaSSmmD gSwSV1NhlResRcKrWjy8pKhxHv82UHyZDYQz6dHoaAUcAEdJEy1LVuAxSU+NbX+RkoFi Sjj2H+oXye60CY2Dhi3bmpCHHHzgaGBlS73ggylEWXDcmFTIaZXJyPLZ6T3oYgThI4iI LrPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=i+qEBTxR8s964bD3kmXLJZNYVW64jXq6wFTMv3783Sg=; b=GaiN17nJCGS/WgGw+K8jT6Y6I2jlscq3IQ6DH+ZTVGrMk8+ehKhh8GqsvMxyCvDhuv nIGcJLsC4FeV0yBtiV76yFIYl4ffbhS6WgHt7QRyhs4Y3KKXiEW2BSOLoymoKnuKgD5y dK3l3v5rsf1/ldWBrNiJSuRpOwSwL8Nzz78jMFAjnFlASizX2bBBQzhM/jREhA+wdgzt C2vomG5V941E9rseyrxZ4hC1kfrpYQcKntDG6mz1V6Bp6C4u6fA/YQKFx2bYzAVKNgxB 8rSnlaMJKTbzR6OkxBZ3MnPxBcLnHqVM3hLLblbcWW62Z5ndEz5KDnbdwVJlDOj9TYLd bRoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Sz2Kh8w8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si7372238ilu.107.2021.07.11.23.26.12; Sun, 11 Jul 2021 23:26:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Sz2Kh8w8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234728AbhGLG23 (ORCPT + 99 others); Mon, 12 Jul 2021 02:28:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:39276 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234052AbhGLGYu (ORCPT ); Mon, 12 Jul 2021 02:24:50 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6BD8761179; Mon, 12 Jul 2021 06:21:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626070919; bh=Rn2aLCiYu42FhpI76z6qDscvRgs27PmEWK2Q/GQXRv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sz2Kh8w88V8p0tlQhKOlFK1zvaw3O7H/rpJkbdLJuAwG4KLvKfxqJgaOT+/IydDwR MN2qrE7oivl9B6VGGXAN9+xAz2GxG5jnVhH5Ba0HS2pJdyNNAfFh0Q02JlGrdZ+hFG dF2PyMJQZdmvgoweoUuTCDdjh64vf56EihLheivY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiapeng Chong , Leon Romanovsky , Jason Gunthorpe , Sasha Levin Subject: [PATCH 5.4 196/348] RDMA/core: Sanitize WQ state received from the userspace Date: Mon, 12 Jul 2021 08:09:40 +0200 Message-Id: <20210712060727.182663734@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060659.886176320@linuxfoundation.org> References: <20210712060659.886176320@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leon Romanovsky [ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ] The mlx4 and mlx5 implemented differently the WQ input checks. Instead of duplicating mlx4 logic in the mlx5, let's prepare the input in the central place. The mlx5 implementation didn't check for validity of state input. It is not real bug because our FW checked that, but still worth to fix. Fixes: f213c0527210 ("IB/uverbs: Add WQ support") Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com Reported-by: Jiapeng Chong Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin --- drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++-- drivers/infiniband/hw/mlx4/qp.c | 9 ++------- drivers/infiniband/hw/mlx5/qp.c | 6 ++---- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index c398d1a64614..d413dafb9211 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3031,12 +3031,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs) if (!wq) return -EINVAL; - wq_attr.curr_wq_state = cmd.curr_wq_state; - wq_attr.wq_state = cmd.wq_state; if (cmd.attr_mask & IB_WQ_FLAGS) { wq_attr.flags = cmd.flags; wq_attr.flags_mask = cmd.flags_mask; } + + if (cmd.attr_mask & IB_WQ_CUR_STATE) { + if (cmd.curr_wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.curr_wq_state = cmd.curr_wq_state; + } else { + wq_attr.curr_wq_state = wq->state; + } + + if (cmd.attr_mask & IB_WQ_STATE) { + if (cmd.wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.wq_state = cmd.wq_state; + } else { + wq_attr.wq_state = wq_attr.curr_wq_state; + } + ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask, &attrs->driver_udata); uobj_put_obj_read(wq); diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 6e2b3e2f83f1..17ce928e41bd 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -4294,13 +4294,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, if (wq_attr_mask & IB_WQ_FLAGS) return -EOPNOTSUPP; - cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state : - ibwq->state; - new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state; - - if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR || - new_state < IB_WQS_RESET || new_state > IB_WQS_ERR) - return -EINVAL; + cur_state = wq_attr->curr_wq_state; + new_state = wq_attr->wq_state; if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR)) return -EINVAL; diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index 09e29c6cb66d..4540835e05bd 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -6317,10 +6317,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx); - curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ? - wq_attr->curr_wq_state : wq->state; - wq_state = (wq_attr_mask & IB_WQ_STATE) ? - wq_attr->wq_state : curr_wq_state; + curr_wq_state = wq_attr->curr_wq_state; + wq_state = wq_attr->wq_state; if (curr_wq_state == IB_WQS_ERR) curr_wq_state = MLX5_RQC_STATE_ERR; if (wq_state == IB_WQS_ERR) -- 2.30.2