Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2828972pxv; Mon, 12 Jul 2021 02:59:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyNmS3V7AuyB3f3HPfPFqtGTDliW43d+9RNBNZhM7mnopisbS+9vWv0PJbXA/+u7oWo1fs X-Received: by 2002:a92:a80e:: with SMTP id o14mr37578617ilh.81.1626083941876; Mon, 12 Jul 2021 02:59:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626083941; cv=none; d=google.com; s=arc-20160816; b=T9vlk3Z4CFKMQ0XspAywfLbna+wrE4t1bAa/0MGk2VwW+ELFyDD3KQNLj0km0izIlg KyBvcCmQNCJEYZo9HSVhZLJn/6jPMd43hylPwS20TisM9Jk+9Vxvk4xNAQRIzaBgzCoH zq1lT5VujN20sOxDN12MmIS5dEcLNwfOADw92lkCKYIOpZYhnyy2Y6JsDiGhBrmar7wI kzamxXrTqGalwtoh30hUx8NWW22QL374gZgjTaSxY1LK0R21QP9kFmP01btwCAMv0Ic5 lSv+Tz80c8neK5Bu1GmVuEyhfYEX4V04CzeKBhqjaRLSxQth372cufaUorjowa8DylaU wWKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7z1kVvfVO09TtRc3J7H68e4BJl06HCBEbiashpGcWF8=; b=vIdW+rU/aZbFVd4yfdOdIoH/6H0ddW7BEIemTw9iT1ews/j86oveNx9u52JXo/6qAC 5OWUFkI+Fv9jhGndj2aUWA1VBiPcK7G9Ab9+dMrzzphdbMudsfDDFgJNLJp6du8O5aP3 P8CGztJslggvCrWWVU1idY0o3VAi1ZiR0UL54QJwMYcM8GmNADiTAncBn80TIbWJFyRj PMIcbjwonktyUbWhjUf++w9qFf9hML4ktyzmI+cChqUa0CSRlEb+2bP6Q/a5fAlt2gva hZKlhWNP0IbwFNHeqK2XPzy5a+4Kmg9EYohTWwPgdNj8YD+5YNPvP689S4CTIl0G2HgL EbUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="cyf5hS/x"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b6si18167671ilv.22.2021.07.12.02.58.50; Mon, 12 Jul 2021 02:59:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="cyf5hS/x"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241257AbhGLHB0 (ORCPT + 99 others); Mon, 12 Jul 2021 03:01:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:41250 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239153AbhGLGot (ORCPT ); Mon, 12 Jul 2021 02:44:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 05611611CD; Mon, 12 Jul 2021 06:40:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626072053; bh=rKR/EJcxu+a1sOuNFRnuRlLYwjjS1UyUgNprgK+cSYo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cyf5hS/x93KKGWgr/ry/U1lyMgkcMT/cije9nqlTxQPoipSY2aVtb42kRdid+Kajg 5LItkdAVAL22PcNZpmZZFjTHQc/S2z5s8IaAkmBUqBiym2HkSTOsLLgkUfsqcJcOlX 6R539z+dxbE8sStjbp++goYIQb/MyeYsGAoQdov4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiapeng Chong , Leon Romanovsky , Jason Gunthorpe , Sasha Levin Subject: [PATCH 5.10 332/593] RDMA/core: Sanitize WQ state received from the userspace Date: Mon, 12 Jul 2021 08:08:12 +0200 Message-Id: <20210712060922.351549430@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060843.180606720@linuxfoundation.org> References: <20210712060843.180606720@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leon Romanovsky [ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ] The mlx4 and mlx5 implemented differently the WQ input checks. Instead of duplicating mlx4 logic in the mlx5, let's prepare the input in the central place. The mlx5 implementation didn't check for validity of state input. It is not real bug because our FW checked that, but still worth to fix. Fixes: f213c0527210 ("IB/uverbs: Add WQ support") Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com Reported-by: Jiapeng Chong Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin --- drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++-- drivers/infiniband/hw/mlx4/qp.c | 9 ++------- drivers/infiniband/hw/mlx5/qp.c | 6 ++---- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 418d133a8fb0..466026825dd7 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3000,12 +3000,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs) if (!wq) return -EINVAL; - wq_attr.curr_wq_state = cmd.curr_wq_state; - wq_attr.wq_state = cmd.wq_state; if (cmd.attr_mask & IB_WQ_FLAGS) { wq_attr.flags = cmd.flags; wq_attr.flags_mask = cmd.flags_mask; } + + if (cmd.attr_mask & IB_WQ_CUR_STATE) { + if (cmd.curr_wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.curr_wq_state = cmd.curr_wq_state; + } else { + wq_attr.curr_wq_state = wq->state; + } + + if (cmd.attr_mask & IB_WQ_STATE) { + if (cmd.wq_state > IB_WQS_ERR) + return -EINVAL; + + wq_attr.wq_state = cmd.wq_state; + } else { + wq_attr.wq_state = wq_attr.curr_wq_state; + } + ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask, &attrs->driver_udata); rdma_lookup_put_uobject(&wq->uobject->uevent.uobject, diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 5cb8e602294c..6bc0818f4b2c 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -4244,13 +4244,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, if (wq_attr_mask & IB_WQ_FLAGS) return -EOPNOTSUPP; - cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state : - ibwq->state; - new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state; - - if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR || - new_state < IB_WQS_RESET || new_state > IB_WQS_ERR) - return -EINVAL; + cur_state = wq_attr->curr_wq_state; + new_state = wq_attr->wq_state; if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR)) return -EINVAL; diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index 6d2715f65d78..8beba002e5dd 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -5236,10 +5236,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx); - curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ? - wq_attr->curr_wq_state : wq->state; - wq_state = (wq_attr_mask & IB_WQ_STATE) ? - wq_attr->wq_state : curr_wq_state; + curr_wq_state = wq_attr->curr_wq_state; + wq_state = wq_attr->wq_state; if (curr_wq_state == IB_WQS_ERR) curr_wq_state = MLX5_RQC_STATE_ERR; if (wq_state == IB_WQS_ERR) -- 2.30.2