| From: Leon Romanovsky <leonro@mellanox.com> |
| Date: Sun, 24 Jun 2018 11:23:42 +0300 |
| Subject: RDMA/uverbs: Protect from attempts to create flows on unsupported QP |
| |
| commit 940efcc8889f0d15567eb07fc9fd69b06e366aa5 upstream. |
| |
| Flows can be created on UD and RAW_PACKET QP types. Attempts to provide |
| other QP types as an input causes to various unpredictable failures. |
| |
| The reason is that in order to support all various types (e.g. XRC), we |
| are supposed to use real_qp handle and not qp handle and expect to |
| driver/FW to fail such (XRC) flows. The simpler and safer variant is to |
| ban all QP types except UD and RAW_PACKET, instead of relying on |
| driver/FW. |
| |
| Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs") |
| Cc: syzkaller <syzkaller@googlegroups.com> |
| Reported-by: Noa Osherovich <noaos@mellanox.com> |
| Signed-off-by: Leon Romanovsky <leonro@mellanox.com> |
| Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> |
| [bwh: Backported to 3.16: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/infiniband/core/uverbs_cmd.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/drivers/infiniband/core/uverbs_cmd.c |
| +++ b/drivers/infiniband/core/uverbs_cmd.c |
| @@ -2740,6 +2740,11 @@ int ib_uverbs_ex_create_flow(struct ib_u |
| goto err_uobj; |
| } |
| |
| + if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) { |
| + err = -EINVAL; |
| + goto err_put; |
| + } |
| + |
| flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL); |
| if (!flow_attr) { |
| err = -ENOMEM; |