diff options
Diffstat (limited to 'drivers/infiniband/core')
-rw-r--r-- | drivers/infiniband/core/rdma_core.c | 22 | ||||
-rw-r--r-- | drivers/infiniband/core/rdma_core.h | 2 | ||||
-rw-r--r-- | drivers/infiniband/core/uverbs_cmd.c | 8 | ||||
-rw-r--r-- | drivers/infiniband/core/uverbs_ioctl.c | 16 |
4 files changed, 30 insertions, 18 deletions
diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c index aed7cc2a9e86..c63583dbc6b9 100644 --- a/drivers/infiniband/core/rdma_core.c +++ b/drivers/infiniband/core/rdma_core.c @@ -133,7 +133,7 @@ static int uverbs_try_lock_object(struct ib_uobject *uobj, bool exclusive) * returns success_res on success (negative errno on failure). For use by * callers that do not need the uobj. */ -int __uobj_perform_destroy(const struct uverbs_obj_type *type, int id, +int __uobj_perform_destroy(const struct uverbs_obj_type *type, u32 id, struct ib_uverbs_file *ufile, int success_res) { struct ib_uobject *uobj; @@ -212,13 +212,17 @@ static void uverbs_idr_remove_uobj(struct ib_uobject *uobj) /* Returns the ib_uobject or an error. The caller should check for IS_ERR. */ static struct ib_uobject * lookup_get_idr_uobject(const struct uverbs_obj_type *type, - struct ib_uverbs_file *ufile, int id, bool exclusive) + struct ib_uverbs_file *ufile, s64 id, bool exclusive) { struct ib_uobject *uobj; + unsigned long idrno = id; + + if (id < 0 || id > ULONG_MAX) + return ERR_PTR(-EINVAL); rcu_read_lock(); /* object won't be released as we're protected in rcu */ - uobj = idr_find(&ufile->idr, id); + uobj = idr_find(&ufile->idr, idrno); if (!uobj) { uobj = ERR_PTR(-ENOENT); goto free; @@ -240,17 +244,21 @@ free: static struct ib_uobject *lookup_get_fd_uobject(const struct uverbs_obj_type *type, struct ib_uverbs_file *ufile, - int id, bool exclusive) + s64 id, bool exclusive) { struct file *f; struct ib_uobject *uobject; + int fdno = id; const struct uverbs_obj_fd_type *fd_type = container_of(type, struct uverbs_obj_fd_type, type); + if (fdno != id) + return ERR_PTR(-EINVAL); + if (exclusive) return ERR_PTR(-EOPNOTSUPP); - f = fget(id); + f = fget(fdno); if (!f) return ERR_PTR(-EBADF); @@ -270,7 +278,7 @@ static struct ib_uobject *lookup_get_fd_uobject(const struct uverbs_obj_type *ty } struct ib_uobject *rdma_lookup_get_uobject(const struct uverbs_obj_type *type, - struct ib_uverbs_file *ufile, int id, + struct ib_uverbs_file *ufile, s64 id, bool exclusive) { struct ib_uobject *uobj; @@ -725,7 +733,7 @@ EXPORT_SYMBOL(uverbs_fd_class); struct ib_uobject * uverbs_get_uobject_from_file(const struct uverbs_obj_type *type_attrs, struct ib_uverbs_file *ufile, - enum uverbs_obj_access access, int id) + enum uverbs_obj_access access, s64 id) { switch (access) { case UVERBS_ACCESS_READ: diff --git a/drivers/infiniband/core/rdma_core.h b/drivers/infiniband/core/rdma_core.h index 1bba60e960c1..db2339330f6f 100644 --- a/drivers/infiniband/core/rdma_core.h +++ b/drivers/infiniband/core/rdma_core.h @@ -86,7 +86,7 @@ void uverbs_close_fd(struct file *f); struct ib_uobject * uverbs_get_uobject_from_file(const struct uverbs_obj_type *type_attrs, struct ib_uverbs_file *ufile, - enum uverbs_obj_access access, int id); + enum uverbs_obj_access access, s64 id); /* * Note that certain finalize stages could return a status: diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 987ee38ab4b3..409fd46a2a99 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -48,10 +48,10 @@ #include "core_priv.h" static struct ib_uverbs_completion_event_file * -ib_uverbs_lookup_comp_file(int fd, struct ib_uverbs_file *ufile) +_ib_uverbs_lookup_comp_file(s32 fd, struct ib_uverbs_file *ufile) { - struct ib_uobject *uobj = uobj_get_read(UVERBS_OBJECT_COMP_CHANNEL, - fd, ufile); + struct ib_uobject *uobj = ufd_get_read(UVERBS_OBJECT_COMP_CHANNEL, + fd, ufile); if (IS_ERR(uobj)) return (void *)uobj; @@ -62,6 +62,8 @@ ib_uverbs_lookup_comp_file(int fd, struct ib_uverbs_file *ufile) return container_of(uobj, struct ib_uverbs_completion_event_file, uobj); } +#define ib_uverbs_lookup_comp_file(_fd, _ufile) \ + _ib_uverbs_lookup_comp_file((_fd)*typecheck(s32, _fd), _ufile) ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file, struct ib_device *ib_dev, diff --git a/drivers/infiniband/core/uverbs_ioctl.c b/drivers/infiniband/core/uverbs_ioctl.c index d3bf82cfaa2b..26ddc5cadcdb 100644 --- a/drivers/infiniband/core/uverbs_ioctl.c +++ b/drivers/infiniband/core/uverbs_ioctl.c @@ -136,15 +136,11 @@ static int uverbs_process_attr(struct ib_uverbs_file *ufile, break; case UVERBS_ATTR_TYPE_IDR: - if (uattr->data >> 32) - return -EINVAL; - /* fall through */ case UVERBS_ATTR_TYPE_FD: if (uattr->attr_data.reserved) return -EINVAL; - if (uattr->len != 0 || !ufile->ucontext || - uattr->data > INT_MAX) + if (uattr->len != 0 || !ufile->ucontext) return -EINVAL; o_attr = &e->obj_attr; @@ -152,17 +148,23 @@ static int uverbs_process_attr(struct ib_uverbs_file *ufile, if (!object) return -EINVAL; + /* + * The type of uattr->data is u64 for UVERBS_ATTR_TYPE_IDR and + * s64 for UVERBS_ATTR_TYPE_FD. We can cast the u64 to s64 + * here without caring about truncation as we know that the + * IDR implementation today rejects negative IDs + */ o_attr->uobject = uverbs_get_uobject_from_file( object->type_attrs, ufile, spec->u.obj.access, - (int)uattr->data); + uattr->data_s64); if (IS_ERR(o_attr->uobject)) return PTR_ERR(o_attr->uobject); if (spec->u.obj.access == UVERBS_ACCESS_NEW) { - u64 id = o_attr->uobject->id; + s64 id = o_attr->uobject->id; /* Copy the allocated id to the user-space */ if (put_user(id, &e->uattr->data)) { |