On Tue, Apr 03, 2018 at 03:05:37PM -0600, Jason Gunthorpe wrote:
> On Sun, Apr 01, 2018 at 03:08:03PM +0300, Leon Romanovsky wrote:
>
> > +static int UVERBS_HANDLER(UVERBS_METHOD_DM_MR_REG)(struct ib_device *ib_dev,
> > + struct ib_uverbs_file *file,
> > + struct uverbs_attr_bundle *attrs)
> > +{
> > + struct ib_dm_mr_attr attr = {};
> > + struct ib_uobject *uobj;
> > + struct ib_dm *dm;
> > + struct ib_pd *pd;
> > + struct ib_mr *mr;
> > + int ret;
> > +
> > + if (!ib_dev->reg_dm_mr)
> > + return -EOPNOTSUPP;
> > +
> > + ret = uverbs_copy_from(&attr.offset, attrs, UVERBS_ATTR_REG_DM_MR_OFFSET);
> > + if (!ret)
> > + ret = uverbs_copy_from(&attr.length, attrs,
> > + UVERBS_ATTR_REG_DM_MR_LENGTH);
> > + if (!ret)
> > + ret = uverbs_copy_from(&attr.access_flags, attrs,
> > + UVERBS_ATTR_REG_DM_MR_ACCESS_FLAGS);
> > + if (ret)
> > + return ret;
>
> Success oriented return, not 'if (!ret)'
>
> > + if (!(attr.access_flags & IB_ZERO_BASED))
> > + return -EINVAL;
> > +
> > + ret = ib_check_mr_access(attr.access_flags);
> > + if (ret)
> > + return ret;
> > +
> > + pd = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_PD_HANDLE);
> > +
> > + dm = uverbs_attr_get_obj(attrs, UVERBS_ATTR_REG_DM_MR_DM_HANDLE);
> > +
> > + uobj = uverbs_attr_get(attrs, UVERBS_ATTR_REG_DM_MR_HANDLE)->obj_attr.uobject;
>
> The core code needs to validate attr->offset and attr->length,
> specifically to avoid addition overflow, so something like this:
>
> if (attr.offset > dm->length || attr.length > dm->length ||
> (attr.offset + attr.length) > dm->length)
> return -EINVAL;
>
> And it should not be checked again in the driver.
You are right, sorry that I missed that.
>
> Jason
Attachment:
signature.asc
Description: PGP signature
