| Message ID | Yoz4iXtRJ8jw6IeD@kili (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | RDMA/irdma: Initialize struct members in irdma_reg_user_mr() | expand |
> Subject: [PATCH] RDMA/irdma: Initialize struct members in irdma_reg_user_mr() > > The ib_copy_from_udata() function does not always initialize the whole struct. It > depends on the value of udata->inlen. So initialize it to zero at the start. > > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- Acked-by: Shiraz Saleem <shiraz.saleem@intel.com>
On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote: > The ib_copy_from_udata() function does not always initialize the whole > struct. It depends on the value of udata->inlen. So initialize it to > zero at the start. > > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > What I know is that RDMA takes fast paths very seriously. > > This is probably a fast path so you may want to implement a different > solution. If you want to do something else then, just feel free to do > that and give me a Reported-by tag. This isn't fast path.. But the bug here is not validating inlen properly and should be fixed there, not by zero-initing and allowing userspace to pass in an invalid inlen.. Jason
> Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in > irdma_reg_user_mr() > > On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote: > > The ib_copy_from_udata() function does not always initialize the whole > > struct. It depends on the value of udata->inlen. So initialize it to > > zero at the start. > > > > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb > > APIs") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> What I know is > > that RDMA takes fast paths very seriously. > > > > This is probably a fast path so you may want to implement a different > > solution. If you want to do something else then, just feel free to do > > that and give me a Reported-by tag. > > This isn't fast path.. > > But the bug here is not validating inlen properly and should be fixed there, not by > zero-initing and allowing userspace to pass in an invalid inlen.. > Hi Jason - So something like this is appropriate? diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c index 52f3e88..aecfedc 100644 --- a/drivers/infiniband/hw/irdma/verbs.c +++ b/drivers/infiniband/hw/irdma/verbs.c @@ -2735,6 +2735,9 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len, if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size) return ERR_PTR(-EINVAL); + if (udata->inlen < sizeof(req)) + return ERR_PTR(-EINVAL); + region = ib_umem_get(pd->device, start, len, access); if (IS_ERR(region)) {
On Tue, May 24, 2022 at 04:53:46PM +0000, Saleem, Shiraz wrote: > > Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in > > irdma_reg_user_mr() > > > > On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote: > > > The ib_copy_from_udata() function does not always initialize the whole > > > struct. It depends on the value of udata->inlen. So initialize it to > > > zero at the start. > > > > > > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb > > > APIs") > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> What I know is > > > that RDMA takes fast paths very seriously. > > > > > > This is probably a fast path so you may want to implement a different > > > solution. If you want to do something else then, just feel free to do > > > that and give me a Reported-by tag. > > > > This isn't fast path.. > > > > But the bug here is not validating inlen properly and should be fixed there, not by > > zero-initing and allowing userspace to pass in an invalid inlen.. > > > Hi Jason - > > So something like this is appropriate? Yes Jason
> Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in > irdma_reg_user_mr() > > On Tue, May 24, 2022 at 04:53:46PM +0000, Saleem, Shiraz wrote: > > > Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in > > > irdma_reg_user_mr() > > > > > > On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote: > > > > The ib_copy_from_udata() function does not always initialize the > > > > whole struct. It depends on the value of udata->inlen. So > > > > initialize it to zero at the start. > > > > > > > > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb > > > > APIs") > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> What I > > > > know is that RDMA takes fast paths very seriously. > > > > > > > > This is probably a fast path so you may want to implement a > > > > different solution. If you want to do something else then, just > > > > feel free to do that and give me a Reported-by tag. > > > > > > This isn't fast path.. > > > > > > But the bug here is not validating inlen properly and should be > > > fixed there, not by zero-initing and allowing userspace to pass in an invalid > inlen.. > > > > > Hi Jason - > > > > So something like this is appropriate? > > Yes > Ok. Thanks. It seems we have other places in irdma which should be fixed this way too. I will send a fix. Shiraz
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c index c4412ece5a6d..8f4a6b7ebcce 100644 --- a/drivers/infiniband/hw/irdma/verbs.c +++ b/drivers/infiniband/hw/irdma/verbs.c @@ -2741,7 +2741,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len, struct irdma_pbl *iwpbl; struct irdma_mr *iwmr; struct ib_umem *region; - struct irdma_mem_reg_req req; + struct irdma_mem_reg_req req = {}; u32 total, stag = 0; u8 shadow_pgcnt = 1; bool use_pbles = false;
The ib_copy_from_udata() function does not always initialize the whole struct. It depends on the value of udata->inlen. So initialize it to zero at the start. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- What I know is that RDMA takes fast paths very seriously. This is probably a fast path so you may want to implement a different solution. If you want to do something else then, just feel free to do that and give me a Reported-by tag. That business about you guys trying to explain what you want me to type and then I wait for a day and resend but I misunderstood something so I have to redo it again. You all are very dear to my heart, but what a headache! None of us need a long back an forth over trivial stuff like this. It's just easier for everyone if people write their own patches. It takes five minutes instead of three days or whatever. drivers/infiniband/hw/irdma/verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)