port_num is untrusted data from the user, so it should be checked after
calling fill_sgid_attr, which validates it.
Fixes: 8d9ec9addd6c ("IB/core: Add a sgid_attr pointer to struct rdma_ah_attr")
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
---
drivers/infiniband/core/verbs.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index e55f6652dd24b9..dff61354e5cee6 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1580,14 +1580,6 @@ static int _ib_modify_qp(struct ib_qp *qp, struct ib_qp_attr *attr,
const struct ib_gid_attr *old_sgid_attr_alt_av;
int ret;
- /*
- * Today the core code can only handle alternate paths and APM for IB
- * ban them in roce mode.
- */
- if (attr_mask & IB_QP_ALT_PATH &&
- !rdma_protocol_ib(qp->device, attr->alt_ah_attr.port_num))
- return -EINVAL;
-
if (attr_mask & IB_QP_AV) {
if (port != attr->ah_attr.port_num)
return -EINVAL;
@@ -1609,6 +1601,17 @@ static int _ib_modify_qp(struct ib_qp *qp, struct ib_qp_attr *attr,
&old_sgid_attr_alt_av);
if (ret)
goto out_av;
+
+ /*
+ * Today the core code can only handle alternate paths and APM
+ * for IB. Ban them in roce mode.
+ */
+ if (!(rdma_protocol_ib(qp->device,
+ attr->alt_ah_attr.port_num) &&
+ rdma_protocol_ib(qp->device, port))) {
+ ret = EINVAL;
+ goto out;
+ }
}
/*
--
2.17.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
