On Tue, Apr 03, 2018 at 03:05:37PM -0600, Jason Gunthorpe wrote: > On Sun, Apr 01, 2018 at 03:08:03PM +0300, Leon Romanovsky wrote: > > > +static int UVERBS_HANDLER(UVERBS_METHOD_DM_MR_REG)(struct ib_device *ib_dev, > > + struct ib_uverbs_file *file, > > + struct uverbs_attr_bundle *attrs) > > +{ > > + struct ib_dm_mr_attr attr = {}; > > + struct ib_uobject *uobj; > > + struct ib_dm *dm; > > + struct ib_pd *pd; > > + struct ib_mr *mr; > > + int ret; > > + > > + if (!ib_dev->reg_dm_mr) > > + return -EOPNOTSUPP; > > + > > + ret = uverbs_copy_from(&attr.offset, attrs, UVERBS_ATTR_REG_DM_MR_OFFSET); > > + if (!ret) > > + ret = uverbs_copy_from(&attr.length, attrs, > > + UVERBS_ATTR_REG_DM_MR_LENGTH); > > + if (!ret) > > + ret = uverbs_copy_from(&attr.access_flags, attrs, > > + UVERBS_ATTR_REG_DM_MR_ACCESS_FLAGS); > > + if (ret) > > + return ret; > > Success oriented return, not 'if (!ret)' > > > + if (!(attr.access_flags & IB_ZERO_BASED)) > > + return -EINVAL; > > + > > + ret = ib_check_mr_access(attr.access_flags); > > + if (ret) > > + return ret; > > + > > + pd = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_PD_HANDLE); > > + > > + dm = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_DM_HANDLE); > > + > > + uobj = uverbs_attr_get(attrs, UVERBS_ATTR_REG_DM_MR_HANDLE)->obj_attr.uobject; > > The core code needs to validate attr->offset and attr->length, > specifically to avoid addition overflow, so something like this: > > if (attr.offset > dm->length || attr.length > dm->length || > (attr.offset + attr.length) > dm->length) > return -EINVAL; > > And it should not be checked again in the driver. You are right, sorry that I missed that. > > Jason
Attachment:
signature.asc
Description: PGP signature