[PATCH rdma-rc] IB/uverbs: Don't use the address vector's port number during modify_qp

Leon Romanovsky <leon@xxxxxxxxxx> · Tue, 19 Jun 2018 08:28:33 +0300

From: Guy Levi <guyle@xxxxxxxxxxxx>

During uverbs' modify_qp, the port type is inferred using the port
number in ib_uverbs_qp_dest struct (address vector). This port number is
used to access that port's type info in the port_immutable array.

According to IB spec (version 1.3) port number is not mentioned as a
part of the AV which is used in modify QP. Using the port number field
from the AV therefore leads to accesses to non-allocated memory when
inferring the port type.

Instead, the port number from ib_qp->real_qp should be used to infer the
port type.

The commit cited below overlooked this portion of the fix.

Cc: <stable@xxxxxxxxxxxxxxx> # 4.13
Fixes: 498ca3c82a7b ("IB/core: Avoid accessing non-allocated memory when inferring port type")
Signed-off-by: Guy Levi <guyle@xxxxxxxxxxxx>
Reviewed-by: Jack Morgenstein <jackm@xxxxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
---
 drivers/infiniband/core/uverbs_cmd.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 3e90b6a1d9d2..afda13f8211d 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1938,11 +1938,11 @@ static int modify_qp_mask(enum ib_qp_type qp_type, int mask)
 	}
 }
 
-static void copy_ah_attr_from_uverbs(struct ib_device *dev,
+static void copy_ah_attr_from_uverbs(struct ib_qp *qp,
 				     struct rdma_ah_attr *rdma_attr,
 				     struct ib_uverbs_qp_dest *uverb_attr)
 {
-	rdma_attr->type = rdma_ah_find_type(dev, uverb_attr->port_num);
+	rdma_attr->type = rdma_ah_find_type(qp->device, qp->real_qp->port);
 	if (uverb_attr->is_global) {
 		rdma_ah_set_grh(rdma_attr, NULL,
 				uverb_attr->flow_label,
@@ -2028,11 +2028,10 @@ static int modify_qp(struct ib_uverbs_file *file,
 	attr->rate_limit	  = cmd->rate_limit;
 
 	if (cmd->base.attr_mask & IB_QP_AV)
-		copy_ah_attr_from_uverbs(qp->device, &attr->ah_attr,
-					 &cmd->base.dest);
+		copy_ah_attr_from_uverbs(qp, &attr->ah_attr, &cmd->base.dest);
 
 	if (cmd->base.attr_mask & IB_QP_ALT_PATH)
-		copy_ah_attr_from_uverbs(qp->device, &attr->alt_ah_attr,
+		copy_ah_attr_from_uverbs(qp, &attr->alt_ah_attr,
 					 &cmd->base.alt_dest);
 
 	ret = ib_modify_qp_with_udata(qp, attr,
-- 
2.14.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






