Commit f9744288 authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Jason Gunthorpe

RDMA/core: Sanitize WQ state received from the userspace

The mlx4 and mlx5 implemented differently the WQ input checks.  Instead of
duplicating mlx4 logic in the mlx5, let's prepare the input in the central
place.

The mlx5 implementation didn't check for validity of state input.  It is
not real bug because our FW checked that, but still worth to fix.

Fixes: f213c052 ("IB/uverbs: Add WQ support")
Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.comReported-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
parent 0e855847
...@@ -3034,12 +3034,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs) ...@@ -3034,12 +3034,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
if (!wq) if (!wq)
return -EINVAL; return -EINVAL;
wq_attr.curr_wq_state = cmd.curr_wq_state;
wq_attr.wq_state = cmd.wq_state;
if (cmd.attr_mask & IB_WQ_FLAGS) { if (cmd.attr_mask & IB_WQ_FLAGS) {
wq_attr.flags = cmd.flags; wq_attr.flags = cmd.flags;
wq_attr.flags_mask = cmd.flags_mask; wq_attr.flags_mask = cmd.flags_mask;
} }
if (cmd.attr_mask & IB_WQ_CUR_STATE) {
if (cmd.curr_wq_state > IB_WQS_ERR)
return -EINVAL;
wq_attr.curr_wq_state = cmd.curr_wq_state;
} else {
wq_attr.curr_wq_state = wq->state;
}
if (cmd.attr_mask & IB_WQ_STATE) {
if (cmd.wq_state > IB_WQS_ERR)
return -EINVAL;
wq_attr.wq_state = cmd.wq_state;
} else {
wq_attr.wq_state = wq_attr.curr_wq_state;
}
ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask, ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
&attrs->driver_udata); &attrs->driver_udata);
rdma_lookup_put_uobject(&wq->uobject->uevent.uobject, rdma_lookup_put_uobject(&wq->uobject->uevent.uobject,
......
...@@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, ...@@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
if (wq_attr_mask & IB_WQ_FLAGS) if (wq_attr_mask & IB_WQ_FLAGS)
return -EOPNOTSUPP; return -EOPNOTSUPP;
cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state : cur_state = wq_attr->curr_wq_state;
ibwq->state; new_state = wq_attr->wq_state;
new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR ||
new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
return -EINVAL;
if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR)) if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
return -EINVAL; return -EINVAL;
......
...@@ -5318,10 +5318,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, ...@@ -5318,10 +5318,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx); rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ? curr_wq_state = wq_attr->curr_wq_state;
wq_attr->curr_wq_state : wq->state; wq_state = wq_attr->wq_state;
wq_state = (wq_attr_mask & IB_WQ_STATE) ?
wq_attr->wq_state : curr_wq_state;
if (curr_wq_state == IB_WQS_ERR) if (curr_wq_state == IB_WQS_ERR)
curr_wq_state = MLX5_RQC_STATE_ERR; curr_wq_state = MLX5_RQC_STATE_ERR;
if (wq_state == IB_WQS_ERR) if (wq_state == IB_WQS_ERR)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment