On Sun, Apr 01, 2018 at 03:08:03PM +0300, Leon Romanovsky wrote:
> +static int UVERBS_HANDLER(UVERBS_METHOD_DM_MR_REG)(struct ib_device *ib_dev,
> + struct ib_uverbs_file *file,
> + struct uverbs_attr_bundle *attrs)
> +{
> + struct ib_dm_mr_attr attr = {};
> + struct ib_uobject *uobj;
> + struct ib_dm *dm;
> + struct ib_pd *pd;
> + struct ib_mr *mr;
> + int ret;
> +
> + if (!ib_dev->reg_dm_mr)
> + return -EOPNOTSUPP;
> +
> + ret = uverbs_copy_from(&attr.offset, attrs, UVERBS_ATTR_REG_DM_MR_OFFSET);
> + if (!ret)
> + ret = uverbs_copy_from(&attr.length, attrs,
> + UVERBS_ATTR_REG_DM_MR_LENGTH);
> + if (!ret)
> + ret = uverbs_copy_from(&attr.access_flags, attrs,
> + UVERBS_ATTR_REG_DM_MR_ACCESS_FLAGS);
> + if (ret)
> + return ret;
Success oriented return, not 'if (!ret)'
> + if (!(attr.access_flags & IB_ZERO_BASED))
> + return -EINVAL;
> +
> + ret = ib_check_mr_access(attr.access_flags);
> + if (ret)
> + return ret;
> +
> + pd = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_PD_HANDLE);
> +
> + dm = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_DM_HANDLE);
> +
> + uobj = uverbs_attr_get(attrs, UVERBS_ATTR_REG_DM_MR_HANDLE)->obj_attr.uobject;
The core code needs to validate attr->offset and attr->length,
specifically to avoid addition overflow, so something like this:
if (attr.offset > dm->length || attr.length > dm->length ||
(attr.offset + attr.length) > dm->length)
return -EINVAL;
And it should not be checked again in the driver.
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
