RDMA/uverbs: Do not check the input length on create_cq/qp paths

If the user did not provide a long enough command buffer then the missing bytes are forced to zero. There is no reason to check the length if a zero value is OK. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com>

RDMA/uverbs: Do not check the input length on create_cq/qp paths
If the user did not provide a long enough command buffer then the missing bytes are forced to zero. There is no reason to check the length if a zero value is OK. Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
ece9ca97 · Jason Gunthorpe · Doug Ledford · c3bea3d2 · ece9ca97
Commit ece9ca97 authored Nov 25, 2018 by Jason Gunthorpe Committed by Doug Ledford Dec 03, 2018
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 29 deletions

drivers/infiniband/core/uverbs_cmd.c drivers/infiniband/core/uverbs_cmd.c +9 -29

No files found.
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1018,8 +1018,7 @@ static int ib_uverbs_create_comp_channel(struct uverbs_attr_bundle *attrs,
 }
 static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
-				       struct ib_uverbs_ex_create_cq *cmd,
+				       struct ib_uverbs_ex_create_cq *cmd)
-				       size_t cmd_sz)
 {
 	struct ib_ucq_object           *obj;
 	struct ib_uverbs_completion_event_file    *ev_file = NULL;
@@ -1053,8 +1052,6 @@ static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
 	attr.cqe = cmd->cqe;
 	attr.comp_vector = cmd->comp_vector;
-	if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
 	attr.flags = cmd->flags;
 	cq = ib_dev->create_cq(ib_dev, &attr, obj->uobject.context,
@@ -1120,9 +1117,7 @@ static int ib_uverbs_create_cq(struct uverbs_attr_bundle *attrs,
 	cmd_ex.comp_vector = cmd.comp_vector;
 	cmd_ex.comp_channel = cmd.comp_channel;
-	obj = create_cq(attrs, &cmd_ex,
+	obj = create_cq(attrs, &cmd_ex);
-			offsetof(typeof(cmd_ex), comp_channel) +
-				sizeof(cmd.comp_channel));
 	return PTR_ERR_OR_ZERO(obj);
 }
@@ -1143,7 +1138,7 @@ static int ib_uverbs_ex_create_cq(struct uverbs_attr_bundle *attrs,
 	if (cmd.reserved)
 		return -EINVAL;
-	obj = create_cq(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
+	obj = create_cq(attrs, &cmd);
 	return PTR_ERR_OR_ZERO(obj);
 }
@@ -1309,7 +1304,7 @@ static int ib_uverbs_destroy_cq(struct uverbs_attr_bundle *attrs,
 }
 static int create_qp(struct uverbs_attr_bundle *attrs,
-		     struct ib_uverbs_ex_create_qp *cmd, size_t cmd_sz)
+		     struct ib_uverbs_ex_create_qp *cmd)
 {
 	struct ib_uqp_object		*obj;
 	struct ib_device		*device;
@@ -1319,7 +1314,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	struct ib_cq			*scq = NULL, *rcq = NULL;
 	struct ib_srq			*srq = NULL;
 	struct ib_qp			*qp;
-	char				*buf;
 	struct ib_qp_init_attr		attr = {};
 	struct ib_uverbs_ex_create_qp_resp resp;
 	int				ret;
@@ -1338,9 +1332,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	obj->uevent.uobject.user_handle = cmd->user_handle;
 	mutex_init(&obj->mcast_lock);
-	if (cmd_sz >= offsetof(typeof(*cmd), rwq_ind_tbl_handle) +
+	if (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE) {
-		      sizeof(cmd->rwq_ind_tbl_handle) &&
-		      (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE)) {
 		ind_tbl = uobj_get_obj_read(rwq_ind_table,
 					    UVERBS_OBJECT_RWQ_IND_TBL,
 					    cmd->rwq_ind_tbl_handle, attrs);
@@ -1438,10 +1430,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	INIT_LIST_HEAD(&obj->uevent.event_list);
 	INIT_LIST_HEAD(&obj->mcast_list);
-	if (cmd_sz >= offsetof(typeof(*cmd), create_flags) +
-		      sizeof(cmd->create_flags))
 	attr.create_flags = cmd->create_flags;
 	if (attr.create_flags & ~(IB_QP_CREATE_BLOCK_MULTICAST_LOOPBACK |
 				IB_QP_CREATE_CROSS_CHANNEL |
 				IB_QP_CREATE_MANAGED_SEND |
@@ -1463,14 +1452,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 		attr.source_qpn = cmd->source_qpn;
 	}
-	buf = (void *)cmd + sizeof(*cmd);
-	if (cmd_sz > sizeof(*cmd))
-		if (!(buf[0] == 0 && !memcmp(buf, buf + 1,
-					     cmd_sz - sizeof(*cmd) - 1))) {
-			ret = -EINVAL;
-			goto err_put;
-		}
 	if (cmd->qp_type == IB_QPT_XRC_TGT)
 		qp = ib_create_qp(pd, &attr);
 	else
@@ -1594,8 +1575,7 @@ static int ib_uverbs_create_qp(struct uverbs_attr_bundle *attrs,
 	cmd_ex.qp_type = cmd.qp_type;
 	cmd_ex.is_srq = cmd.is_srq;
-	return create_qp(attrs, &cmd_ex,
+	return create_qp(attrs, &cmd_ex);
-			 offsetof(typeof(cmd_ex), is_srq) + sizeof(cmd.is_srq));
 }
 static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
@@ -1614,7 +1594,7 @@ static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
 	if (cmd.reserved)
 		return -EINVAL;
-	return create_qp(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
+	return create_qp(attrs, &cmd);
 }
 static int ib_uverbs_open_qp(struct uverbs_attr_bundle *attrs,