From: Yonatan Nachum <ynachum@xxxxxxxxxx>
When creating a new CQ with interrupts enabled, the caller needs to
specify an EQ index to which the interrupts will be sent on, we don't
validate the requested index in the EQ array.
Validate out of bound reach of the EQ array and return an error.
This is not a bug because IB core validates the requested EQ number when
creating a CQ.
Reviewed-by: Firas Jahjah <firasj@xxxxxxxxxx>
Signed-off-by: Yonatan Nachum <ynachum@xxxxxxxxxx>
Signed-off-by: Michael Margolin <mrgolin@xxxxxxxxxx>
---
drivers/infiniband/hw/efa/efa_verbs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
index cd1f735d08a7..9c3e476e3f9c 100644
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -1046,7 +1046,7 @@ int efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata)
static struct efa_eq *efa_vec2eq(struct efa_dev *dev, int vec)
{
- return &dev->eqs[vec];
+ return vec < dev->neqs ? &dev->eqs[vec] : NULL;
}
static int cq_mmap_entries_setup(struct efa_dev *dev, struct efa_cq *cq,
@@ -1173,6 +1173,11 @@ int efa_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
params.set_src_addr = set_src_addr;
if (cmd.flags & EFA_CREATE_CQ_WITH_COMPLETION_CHANNEL) {
cq->eq = efa_vec2eq(dev, attr->comp_vector);
+ if (!cq->eq) {
+ ibdev_dbg(ibdev, "Invalid EQ requested[%u]\n", attr->comp_vector);
+ err = -EINVAL;
+ goto err_free_mapped;
+ }
params.eqn = cq->eq->eeq.eqn;
params.interrupt_mode_enabled = true;
}
--
2.40.1
