From ece9ca97ccdc845c0c48e204e5a6d9149b7a24b3 Mon Sep 17 00:00:00 2001
From: Jason Gunthorpe <jgg@mellanox.com>
Date: Sun, 25 Nov 2018 20:58:44 +0200
Subject: RDMA/uverbs: Do not check the input length on create_cq/qp paths

If the user did not provide a long enough command buffer then the missing
bytes are forced to zero. There is no reason to check the length if a zero
value is OK.

Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
 drivers/infiniband/core/uverbs_cmd.c | 38 +++++++++---------------------------
 1 file changed, 9 insertions(+), 29 deletions(-)

(limited to 'drivers/infiniband/core/uverbs_cmd.c')

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 15b9db4463da..11e2175e0362 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1018,8 +1018,7 @@ static int ib_uverbs_create_comp_channel(struct uverbs_attr_bundle *attrs,
 }
 
 static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
-				       struct ib_uverbs_ex_create_cq *cmd,
-				       size_t cmd_sz)
+				       struct ib_uverbs_ex_create_cq *cmd)
 {
 	struct ib_ucq_object           *obj;
 	struct ib_uverbs_completion_event_file    *ev_file = NULL;
@@ -1053,9 +1052,7 @@ static struct ib_ucq_object *create_cq(struct uverbs_attr_bundle *attrs,
 
 	attr.cqe = cmd->cqe;
 	attr.comp_vector = cmd->comp_vector;
-
-	if (cmd_sz > offsetof(typeof(*cmd), flags) + sizeof(cmd->flags))
-		attr.flags = cmd->flags;
+	attr.flags = cmd->flags;
 
 	cq = ib_dev->create_cq(ib_dev, &attr, obj->uobject.context,
 			       &attrs->driver_udata);
@@ -1120,9 +1117,7 @@ static int ib_uverbs_create_cq(struct uverbs_attr_bundle *attrs,
 	cmd_ex.comp_vector = cmd.comp_vector;
 	cmd_ex.comp_channel = cmd.comp_channel;
 
-	obj = create_cq(attrs, &cmd_ex,
-			offsetof(typeof(cmd_ex), comp_channel) +
-				sizeof(cmd.comp_channel));
+	obj = create_cq(attrs, &cmd_ex);
 	return PTR_ERR_OR_ZERO(obj);
 }
 
@@ -1143,7 +1138,7 @@ static int ib_uverbs_ex_create_cq(struct uverbs_attr_bundle *attrs,
 	if (cmd.reserved)
 		return -EINVAL;
 
-	obj = create_cq(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
+	obj = create_cq(attrs, &cmd);
 	return PTR_ERR_OR_ZERO(obj);
 }
 
@@ -1309,7 +1304,7 @@ static int ib_uverbs_destroy_cq(struct uverbs_attr_bundle *attrs,
 }
 
 static int create_qp(struct uverbs_attr_bundle *attrs,
-		     struct ib_uverbs_ex_create_qp *cmd, size_t cmd_sz)
+		     struct ib_uverbs_ex_create_qp *cmd)
 {
 	struct ib_uqp_object		*obj;
 	struct ib_device		*device;
@@ -1319,7 +1314,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	struct ib_cq			*scq = NULL, *rcq = NULL;
 	struct ib_srq			*srq = NULL;
 	struct ib_qp			*qp;
-	char				*buf;
 	struct ib_qp_init_attr		attr = {};
 	struct ib_uverbs_ex_create_qp_resp resp;
 	int				ret;
@@ -1338,9 +1332,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	obj->uevent.uobject.user_handle = cmd->user_handle;
 	mutex_init(&obj->mcast_lock);
 
-	if (cmd_sz >= offsetof(typeof(*cmd), rwq_ind_tbl_handle) +
-		      sizeof(cmd->rwq_ind_tbl_handle) &&
-		      (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE)) {
+	if (cmd->comp_mask & IB_UVERBS_CREATE_QP_MASK_IND_TABLE) {
 		ind_tbl = uobj_get_obj_read(rwq_ind_table,
 					    UVERBS_OBJECT_RWQ_IND_TBL,
 					    cmd->rwq_ind_tbl_handle, attrs);
@@ -1438,10 +1430,7 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 	INIT_LIST_HEAD(&obj->uevent.event_list);
 	INIT_LIST_HEAD(&obj->mcast_list);
 
-	if (cmd_sz >= offsetof(typeof(*cmd), create_flags) +
-		      sizeof(cmd->create_flags))
-		attr.create_flags = cmd->create_flags;
-
+	attr.create_flags = cmd->create_flags;
 	if (attr.create_flags & ~(IB_QP_CREATE_BLOCK_MULTICAST_LOOPBACK |
 				IB_QP_CREATE_CROSS_CHANNEL |
 				IB_QP_CREATE_MANAGED_SEND |
@@ -1463,14 +1452,6 @@ static int create_qp(struct uverbs_attr_bundle *attrs,
 		attr.source_qpn = cmd->source_qpn;
 	}
 
-	buf = (void *)cmd + sizeof(*cmd);
-	if (cmd_sz > sizeof(*cmd))
-		if (!(buf[0] == 0 && !memcmp(buf, buf + 1,
-					     cmd_sz - sizeof(*cmd) - 1))) {
-			ret = -EINVAL;
-			goto err_put;
-		}
-
 	if (cmd->qp_type == IB_QPT_XRC_TGT)
 		qp = ib_create_qp(pd, &attr);
 	else
@@ -1594,8 +1575,7 @@ static int ib_uverbs_create_qp(struct uverbs_attr_bundle *attrs,
 	cmd_ex.qp_type = cmd.qp_type;
 	cmd_ex.is_srq = cmd.is_srq;
 
-	return create_qp(attrs, &cmd_ex,
-			 offsetof(typeof(cmd_ex), is_srq) + sizeof(cmd.is_srq));
+	return create_qp(attrs, &cmd_ex);
 }
 
 static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
@@ -1614,7 +1594,7 @@ static int ib_uverbs_ex_create_qp(struct uverbs_attr_bundle *attrs,
 	if (cmd.reserved)
 		return -EINVAL;
 
-	return create_qp(attrs, &cmd, min(ucore->inlen, sizeof(cmd)));
+	return create_qp(attrs, &cmd);
 }
 
 static int ib_uverbs_open_qp(struct uverbs_attr_bundle *attrs,
-- 
cgit v1.2.3-59-g8ed1b