On Thu, Jan 26, 2023 at 02:00:45PM +0300, Dan Carpenter wrote:
> On Thu, Jan 26, 2023 at 12:18:46PM +0200, Leon Romanovsky wrote:
> > On Tue, Jan 24, 2023 at 06:20:54PM +0300, Dan Carpenter wrote:
> > > The "port" comes from the user and if it is zero then the:
> > >
> > > ndev = mc->ports[port - 1];
> > >
> > > assignment does an out of bounds read. I have changed the if
> > > statement to fix this and to mirror how it is done in
> > > mana_ib_create_qp_rss().
> > >
> > > Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
> > > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> > > ---
> > > drivers/infiniband/hw/mana/qp.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
> > > index ea15ec77e321..54b61930a7fd 100644
> > > --- a/drivers/infiniband/hw/mana/qp.c
> > > +++ b/drivers/infiniband/hw/mana/qp.c
> > > @@ -289,7 +289,7 @@ static int mana_ib_create_qp_raw(struct ib_qp *ibqp, struct ib_pd *ibpd,
> > >
> > > /* IB ports start with 1, MANA Ethernet ports start with 0 */
> > > port = ucmd.port;
> > > - if (ucmd.port > mc->num_ports)
> > > + if (port < 1 || port > mc->num_ports)
> >
> > Why do I see port in mana_ib_create_qp? It should come from ib_qp_init_attr.
>
> I am so confused by this question. Are you asking me?
I asked *@microsoft folks.
> This is the _raw function.
_raw comes from QP type, it is not raw (basic) in a sense you imagine.
> I'm now sure what mana_ib_create_qp() has to do with it.
All create QP calls come through same verbs interface.
ib_create_qp_user->create_qp->.create_qp->mana_ib_create_qp->mana_ib_create_qp_raw
>
> The port comes from ib_copy_from_udata() which is just a wrapper around
> copy_from_user().
Right, and it shouldn't.
>
> regards,
> dan carpenter
>
