On Thu, Jan 26, 2023 at 12:18:46PM +0200, Leon Romanovsky wrote:
> On Tue, Jan 24, 2023 at 06:20:54PM +0300, Dan Carpenter wrote:
> > The "port" comes from the user and if it is zero then the:
> >
> > ndev = mc->ports[port - 1];
> >
> > assignment does an out of bounds read. I have changed the if
> > statement to fix this and to mirror how it is done in
> > mana_ib_create_qp_rss().
> >
> > Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
> > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> > ---
> > drivers/infiniband/hw/mana/qp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
> > index ea15ec77e321..54b61930a7fd 100644
> > --- a/drivers/infiniband/hw/mana/qp.c
> > +++ b/drivers/infiniband/hw/mana/qp.c
> > @@ -289,7 +289,7 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd,
> >
> > /* IB ports start with 1, MANA Ethernet ports start with 0 */
> > port = ucmd.port;
> > - if (ucmd.port > mc->num_ports)
> > + if (port < 1 || port > mc->num_ports)
>
> Why do I see port in mana_ib_create_qp? It should come from ib_qp_init_attr.
I am so confused by this question. Are you asking me? This is the _raw
function. I'm now sure what mana_ib_create_qp() has to do with it.
The port comes from ib_copy_from_udata() which is just a wrapper around
copy_from_user().
regards,
dan carpenter
