* [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace
@ 2021-05-19 8:37 Leon Romanovsky
2021-06-02 8:19 ` Leon Romanovsky
2021-06-02 18:39 ` Jason Gunthorpe
0 siblings, 2 replies; 3+ messages in thread
From: Leon Romanovsky @ 2021-05-19 8:37 UTC (permalink / raw)
To: Doug Ledford, Jason Gunthorpe
Cc: Leon Romanovsky, Jiapeng Chong, linux-kernel, linux-rdma,
Yishai Hadas, Saleem, Shiraz
From: Leon Romanovsky <leonro@nvidia.com>
The mlx4 and mlx5 implemented differently the WQ input checks.
Instead of duplicating mlx4 logic in the mlx5, let's prepare
the input in the central place.
The mlx5 implementation didn't check for validity of state input.
It is not real bug because our FW checked that, but still worth to fix.
Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
Changelog:
v2:
* Extended commit message
v1: https://lore.kernel.org/lkml/0433d8013ed3a2ffdd145244651a5edb2afbd75b.1621342527.git.leonro@nvidia.com
* Removed IB_WQS_RESET state checks because it is zero and wq states
declared as u32, so can't be less than IB_WQS_RESET.
v0: https://lore.kernel.org/lkml/932f87b48c07278730c3c760b3a707d6a984b524.1621332736.git.leonro@nvidia.com
---
drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++--
drivers/infiniband/hw/mlx4/qp.c | 9 ++-------
drivers/infiniband/hw/mlx5/qp.c | 6 ++----
3 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 4f890bff80f8..c6f53d894411 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3084,12 +3084,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
if (!wq)
return -EINVAL;
- wq_attr.curr_wq_state = cmd.curr_wq_state;
- wq_attr.wq_state = cmd.wq_state;
if (cmd.attr_mask & IB_WQ_FLAGS) {
wq_attr.flags = cmd.flags;
wq_attr.flags_mask = cmd.flags_mask;
}
+
+ if (cmd.attr_mask & IB_WQ_CUR_STATE) {
+ if (cmd.curr_wq_state > IB_WQS_ERR)
+ return -EINVAL;
+
+ wq_attr.curr_wq_state = cmd.curr_wq_state;
+ } else {
+ wq_attr.curr_wq_state = wq->state;
+ }
+
+ if (cmd.attr_mask & IB_WQ_STATE) {
+ if (cmd.wq_state > IB_WQS_ERR)
+ return -EINVAL;
+
+ wq_attr.wq_state = cmd.wq_state;
+ } else {
+ wq_attr.wq_state = wq_attr.curr_wq_state;
+ }
+
ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
&attrs->driver_udata);
rdma_lookup_put_uobject(&wq->uobject->uevent.uobject,
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 92ddbcc00eb2..2ae22bf50016 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
if (wq_attr_mask & IB_WQ_FLAGS)
return -EOPNOTSUPP;
- cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state :
- ibwq->state;
- new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
-
- if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR ||
- new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
- return -EINVAL;
+ cur_state = wq_attr->curr_wq_state;
+ new_state = wq_attr->wq_state;
if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
return -EINVAL;
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index d984b451c379..becd250388af 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -5483,10 +5483,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
- curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ?
- wq_attr->curr_wq_state : wq->state;
- wq_state = (wq_attr_mask & IB_WQ_STATE) ?
- wq_attr->wq_state : curr_wq_state;
+ curr_wq_state = wq_attr->curr_wq_state;
+ wq_state = wq_attr->wq_state;
if (curr_wq_state == IB_WQS_ERR)
curr_wq_state = MLX5_RQC_STATE_ERR;
if (wq_state == IB_WQS_ERR)
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace
2021-05-19 8:37 [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace Leon Romanovsky
@ 2021-06-02 8:19 ` Leon Romanovsky
2021-06-02 18:39 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Leon Romanovsky @ 2021-06-02 8:19 UTC (permalink / raw)
To: Doug Ledford, Jason Gunthorpe
Cc: Jiapeng Chong, linux-kernel, linux-rdma, Yishai Hadas, Saleem, Shiraz
On Wed, May 19, 2021 at 11:37:31AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
>
> The mlx4 and mlx5 implemented differently the WQ input checks.
> Instead of duplicating mlx4 logic in the mlx5, let's prepare
> the input in the central place.
>
> The mlx5 implementation didn't check for validity of state input.
> It is not real bug because our FW checked that, but still worth to fix.
>
> Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
> Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> ---
> Changelog:
> v2:
> * Extended commit message
> v1: https://lore.kernel.org/lkml/0433d8013ed3a2ffdd145244651a5edb2afbd75b.1621342527.git.leonro@nvidia.com
> * Removed IB_WQS_RESET state checks because it is zero and wq states
> declared as u32, so can't be less than IB_WQS_RESET.
> v0: https://lore.kernel.org/lkml/932f87b48c07278730c3c760b3a707d6a984b524.1621332736.git.leonro@nvidia.com
> ---
> drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++--
> drivers/infiniband/hw/mlx4/qp.c | 9 ++-------
> drivers/infiniband/hw/mlx5/qp.c | 6 ++----
> 3 files changed, 23 insertions(+), 13 deletions(-)
Any reason for not merging it?
Thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace
2021-05-19 8:37 [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace Leon Romanovsky
2021-06-02 8:19 ` Leon Romanovsky
@ 2021-06-02 18:39 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2021-06-02 18:39 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Doug Ledford, Leon Romanovsky, Jiapeng Chong, linux-kernel,
linux-rdma, Yishai Hadas, Saleem, Shiraz
On Wed, May 19, 2021 at 11:37:31AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
>
> The mlx4 and mlx5 implemented differently the WQ input checks.
> Instead of duplicating mlx4 logic in the mlx5, let's prepare
> the input in the central place.
>
> The mlx5 implementation didn't check for validity of state input.
> It is not real bug because our FW checked that, but still worth to fix.
>
> Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
> Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> ---
> Changelog:
> v2:
> * Extended commit message
> v1: https://lore.kernel.org/lkml/0433d8013ed3a2ffdd145244651a5edb2afbd75b.1621342527.git.leonro@nvidia.com
> * Removed IB_WQS_RESET state checks because it is zero and wq states
> declared as u32, so can't be less than IB_WQS_RESET.
> v0: https://lore.kernel.org/lkml/932f87b48c07278730c3c760b3a707d6a984b524.1621332736.git.leonro@nvidia.com
> ---
> drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++--
> drivers/infiniband/hw/mlx4/qp.c | 9 ++-------
> drivers/infiniband/hw/mlx5/qp.c | 6 ++----
> 3 files changed, 23 insertions(+), 13 deletions(-)
Applied to for-next, thanks
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-02 18:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-19 8:37 [PATCH rdma-rc v2] RDMA/core: Sanitize WQ state received from the userspace Leon Romanovsky
2021-06-02 8:19 ` Leon Romanovsky
2021-06-02 18:39 ` Jason Gunthorpe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.