On Wed, Jul 19, 2017 at 10:51:19AM +0300, Leon Romanovsky wrote: > On Wed, Jul 19, 2017 at 10:11:50AM +0300, Moni Shoua wrote: > > > How this code can be executed? IB/core ensures that port_num is in range. > > > You can remove this check. > > > > > In this case ah_attr can come from the application and a validity > > check is necessary. > > It is a bug if it comes directly without rdma_is_port_valid() check in the > IB/core. Currently modify_qp and create_ah are checking it and ensuring that > user won't provide illegal port number. Not sure i see the whole picture but something does not fit, will appreciate a guidance here. 1. Application calls ibv_modify_qp which in turn fills out a cmd object and "calls" ib_uverbs.ib_uverbs_modify_qp. 2. ib_uverbs_modify_qp copy the cmd from userspace and calls modify_qp. 3. modify_qp, among some other stuff, verifies port validity (which prove your point) and calls driver's modify_qp hook (in our case rxe_modify_qp). Is the above correct? What i do not understand is the check that is done in step #2 since port_num is not set when moving from state INIT to state RTR. RXE on the other hands validate port_num only when needed (mask & IB_QP_AV). Looks like the check in step #2 is wrong. What am i missing here? Yuval > > Thanks -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
