> Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in
> irdma_reg_user_mr()
>
> On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote:
> > The ib_copy_from_udata() function does not always initialize the whole
> > struct. It depends on the value of udata->inlen. So initialize it to
> > zero at the start.
> >
> > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb
> > APIs")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> What I know is
> > that RDMA takes fast paths very seriously.
> >
> > This is probably a fast path so you may want to implement a different
> > solution. If you want to do something else then, just feel free to do
> > that and give me a Reported-by tag.
>
> This isn't fast path..
>
> But the bug here is not validating inlen properly and should be fixed there, not by
> zero-initing and allowing userspace to pass in an invalid inlen..
>
Hi Jason -
So something like this is appropriate?
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 52f3e88..aecfedc 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2735,6 +2735,9 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size)
return ERR_PTR(-EINVAL);
+ if (udata->inlen < sizeof(req))
+ return ERR_PTR(-EINVAL);
+
region = ib_umem_get(pd->device, start, len, access);
if (IS_ERR(region)) {
