Skip to content

Commit 54b3bce

Browse files
jgunthorperleon
jgunthorpe
authored and
rleon
committed
RDMA: Use ib_copy_validate_udata_in() for implicit full structs
All of these cases have git blames that say the entire current struct was introduced at once, so the last member is the right choice. Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
1 parent e910d98 commit 54b3bce

8 files changed

Lines changed: 45 additions & 52 deletions

File tree

drivers/infiniband/hw/erdma/erdma_verbs.c

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1039,8 +1039,7 @@ int erdma_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
10391039
qp->attrs.rq_size = roundup_pow_of_two(attrs->cap.max_recv_wr);
10401040

10411041
if (uctx) {
1042-
ret = ib_copy_from_udata(&ureq, udata,
1043-
min(sizeof(ureq), udata->inlen));
1042+
ret = ib_copy_validate_udata_in(udata, ureq, rsvd0);
10441043
if (ret)
10451044
goto err_out_xa;
10461045

@@ -1980,8 +1979,7 @@ int erdma_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
19801979
struct erdma_ureq_create_cq ureq;
19811980
struct erdma_uresp_create_cq uresp;
19821981

1983-
ret = ib_copy_from_udata(&ureq, udata,
1984-
min(udata->inlen, sizeof(ureq)));
1982+
ret = ib_copy_validate_udata_in(udata, ureq, rsvd0);
19851983
if (ret)
19861984
goto err_out_xa;
19871985

drivers/infiniband/hw/ionic/ionic_controlpath.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -373,7 +373,7 @@ int ionic_alloc_ucontext(struct ib_ucontext *ibctx, struct ib_udata *udata)
373373
phys_addr_t db_phys = 0;
374374
int rc;
375375

376-
rc = ib_copy_from_udata(&req, udata, sizeof(req));
376+
rc = ib_copy_validate_udata_in(udata, req, rsvd);
377377
if (rc)
378378
return rc;
379379

@@ -1225,7 +1225,7 @@ int ionic_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
12251225
int udma_idx = 0, rc;
12261226

12271227
if (udata) {
1228-
rc = ib_copy_from_udata(&req, udata, sizeof(req));
1228+
rc = ib_copy_validate_udata_in(udata, req, rsvd);
12291229
if (rc)
12301230
return rc;
12311231
}
@@ -2154,7 +2154,7 @@ int ionic_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attr,
21542154
int rc;
21552155

21562156
if (udata) {
2157-
rc = ib_copy_from_udata(&req, udata, sizeof(req));
2157+
rc = ib_copy_validate_udata_in(udata, req, rsvd);
21582158
if (rc)
21592159
return rc;
21602160
} else {

drivers/infiniband/hw/mthca/mthca_provider.c

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -402,8 +402,9 @@ static int mthca_create_srq(struct ib_srq *ibsrq,
402402
return -EOPNOTSUPP;
403403

404404
if (udata) {
405-
if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd)))
406-
return -EFAULT;
405+
err = ib_copy_validate_udata_in(udata, ucmd, db_page);
406+
if (err)
407+
return err;
407408

408409
err = mthca_map_user_db(to_mdev(ibsrq->device), &context->uar,
409410
context->db_tab, ucmd.db_index,
@@ -472,8 +473,9 @@ static int mthca_create_qp(struct ib_qp *ibqp,
472473
case IB_QPT_UD:
473474
{
474475
if (udata) {
475-
if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd)))
476-
return -EFAULT;
476+
err = ib_copy_validate_udata_in(udata, ucmd, rq_db_index);
477+
if (err)
478+
return err;
477479

478480
err = mthca_map_user_db(dev, &context->uar,
479481
context->db_tab,
@@ -594,8 +596,9 @@ static int mthca_create_cq(struct ib_cq *ibcq,
594596
return -EINVAL;
595597

596598
if (udata) {
597-
if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd)))
598-
return -EFAULT;
599+
err = ib_copy_validate_udata_in(udata, ucmd, set_db_index);
600+
if (err)
601+
return err;
599602

600603
err = mthca_map_user_db(to_mdev(ibdev), &context->uar,
601604
context->db_tab, ucmd.set_db_index,
@@ -721,10 +724,9 @@ static int mthca_resize_cq(struct ib_cq *ibcq, unsigned int entries,
721724
goto out;
722725
lkey = cq->resize_buf->buf.mr.ibmr.lkey;
723726
} else {
724-
if (ib_copy_from_udata(&ucmd, udata, sizeof ucmd)) {
725-
ret = -EFAULT;
727+
ret = ib_copy_validate_udata_in(udata, ucmd, reserved);
728+
if (ret)
726729
goto out;
727-
}
728730
lkey = ucmd.lkey;
729731
}
730732

@@ -852,8 +854,11 @@ static struct ib_mr *mthca_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
852854
}
853855
++context->reg_mr_warned;
854856
ucmd.mr_attrs = 0;
855-
} else if (ib_copy_from_udata(&ucmd, udata, sizeof ucmd))
856-
return ERR_PTR(-EFAULT);
857+
} else {
858+
err = ib_copy_validate_udata_in(udata, ucmd, reserved);
859+
if (err)
860+
return ERR_PTR(err);
861+
}
857862

858863
mr = kmalloc_obj(*mr);
859864
if (!mr)

drivers/infiniband/hw/ocrdma/ocrdma_verbs.c

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -982,8 +982,9 @@ int ocrdma_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
982982
return -EOPNOTSUPP;
983983

984984
if (udata) {
985-
if (ib_copy_from_udata(&ureq, udata, sizeof(ureq)))
986-
return -EFAULT;
985+
status = ib_copy_validate_udata_in(udata, ureq, rsvd);
986+
if (status)
987+
return status;
987988
} else
988989
ureq.dpp_cq = 0;
989990

@@ -1309,8 +1310,9 @@ int ocrdma_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
13091310

13101311
memset(&ureq, 0, sizeof(ureq));
13111312
if (udata) {
1312-
if (ib_copy_from_udata(&ureq, udata, sizeof(ureq)))
1313-
return -EFAULT;
1313+
status = ib_copy_validate_udata_in(udata, ureq, rsvd1);
1314+
if (status)
1315+
return status;
13141316
}
13151317
ocrdma_set_qp_init_params(qp, pd, attrs);
13161318
if (udata == NULL)

drivers/infiniband/hw/qedr/verbs.c

Lines changed: 11 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -273,12 +273,9 @@ int qedr_alloc_ucontext(struct ib_ucontext *uctx, struct ib_udata *udata)
273273
return -EFAULT;
274274

275275
if (udata->inlen) {
276-
rc = ib_copy_from_udata(&ureq, udata,
277-
min(sizeof(ureq), udata->inlen));
278-
if (rc) {
279-
DP_ERR(dev, "Problem copying data from user space\n");
280-
return -EFAULT;
281-
}
276+
rc = ib_copy_validate_udata_in(udata, ureq, reserved);
277+
if (rc)
278+
return rc;
282279
ctx->edpm_mode = !!(ureq.context_flags &
283280
QEDR_ALLOC_UCTX_EDPM_MODE);
284281
ctx->db_rec = !!(ureq.context_flags & QEDR_ALLOC_UCTX_DB_REC);
@@ -949,12 +946,9 @@ int qedr_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
949946
db_offset = DB_ADDR_SHIFT(DQ_PWM_OFFSET_UCM_RDMA_CQ_CONS_32BIT);
950947

951948
if (udata) {
952-
if (ib_copy_from_udata(&ureq, udata, min(sizeof(ureq),
953-
udata->inlen))) {
954-
DP_ERR(dev,
955-
"create cq: problem copying data from user space\n");
956-
goto err0;
957-
}
949+
rc = ib_copy_validate_udata_in(udata, ureq, len);
950+
if (rc)
951+
return rc;
958952

959953
if (!ureq.len) {
960954
DP_ERR(dev,
@@ -1575,12 +1569,9 @@ int qedr_create_srq(struct ib_srq *ibsrq, struct ib_srq_init_attr *init_attr,
15751569
hw_srq->max_sges = init_attr->attr.max_sge;
15761570

15771571
if (udata) {
1578-
if (ib_copy_from_udata(&ureq, udata, min(sizeof(ureq),
1579-
udata->inlen))) {
1580-
DP_ERR(dev,
1581-
"create srq: problem copying data from user space\n");
1582-
goto err0;
1583-
}
1572+
rc = ib_copy_validate_udata_in(udata, ureq, srq_len);
1573+
if (rc)
1574+
return rc;
15841575

15851576
rc = qedr_init_srq_user_params(udata, srq, &ureq, 0);
15861577
if (rc)
@@ -1860,12 +1851,9 @@ static int qedr_create_user_qp(struct qedr_dev *dev,
18601851
}
18611852

18621853
if (udata) {
1863-
rc = ib_copy_from_udata(&ureq, udata, min(sizeof(ureq),
1864-
udata->inlen));
1865-
if (rc) {
1866-
DP_ERR(dev, "Problem copying data from user space\n");
1854+
rc = ib_copy_validate_udata_in(udata, ureq, rq_len);
1855+
if (rc)
18671856
return rc;
1868-
}
18691857
}
18701858

18711859
if (qedr_qp_has_sq(qp)) {

drivers/infiniband/hw/usnic/usnic_ib_verbs.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -476,7 +476,7 @@ int usnic_ib_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *init_attr,
476476
if (init_attr->create_flags)
477477
return -EOPNOTSUPP;
478478

479-
err = ib_copy_from_udata(&cmd, udata, sizeof(cmd));
479+
err = ib_copy_validate_udata_in(udata, cmd, spec);
480480
if (err) {
481481
usnic_err("%s: cannot copy udata for create_qp\n",
482482
dev_name(&us_ibdev->ib_dev.dev));

drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
#include <rdma/ib_addr.h>
5050
#include <rdma/ib_smi.h>
5151
#include <rdma/ib_user_verbs.h>
52+
#include <rdma/uverbs_ioctl.h>
5253

5354
#include "pvrdma.h"
5455

@@ -252,10 +253,9 @@ int pvrdma_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *init_attr,
252253
dev_dbg(&dev->pdev->dev,
253254
"create queuepair from user space\n");
254255

255-
if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd))) {
256-
ret = -EFAULT;
256+
ret = ib_copy_validate_udata_in(udata, ucmd, qp_addr);
257+
if (ret)
257258
goto err_qp;
258-
}
259259

260260
/* Userspace supports qpn and qp handles? */
261261
if (dev->dsr_version >= PVRDMA_QPHANDLE_VERSION &&

drivers/infiniband/hw/vmw_pvrdma/pvrdma_srq.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
#include <rdma/ib_addr.h>
5050
#include <rdma/ib_smi.h>
5151
#include <rdma/ib_user_verbs.h>
52+
#include <rdma/uverbs_ioctl.h>
5253

5354
#include "pvrdma.h"
5455

@@ -141,10 +142,9 @@ int pvrdma_create_srq(struct ib_srq *ibsrq, struct ib_srq_init_attr *init_attr,
141142
dev_dbg(&dev->pdev->dev,
142143
"create shared receive queue from user space\n");
143144

144-
if (ib_copy_from_udata(&ucmd, udata, sizeof(ucmd))) {
145-
ret = -EFAULT;
145+
ret = ib_copy_validate_udata_in(udata, ucmd, reserved);
146+
if (ret)
146147
goto err_srq;
147-
}
148148

149149
srq->umem = ib_umem_get(ibsrq->device, ucmd.buf_addr, ucmd.buf_size, 0);
150150
if (IS_ERR(srq->umem)) {

0 commit comments

Comments
 (0)