The port number is only valid if IB_QP_PORT is set in the mask. So only check port number if it is valid to prevent modify_qp from failing due to an invalid port number. Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") Cc: <stable@xxxxxxxxxxxxxxx> # v4.2-v4.9 Cc: <security@xxxxxxxxxx> Cc: Doug Ledford <dledford@xxxxxxxxxx> Cc: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx> Cc: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxx> Signed-off-by: Mustafa Ismail <mustafa.ismail@xxxxxxxxx> Upstream commit 5a7a88f1b488("Fix the check for port number") Modified from upstream commit: helper function rdma_is_port_valid does not exist in these kernel versions. --- drivers/infiniband/core/uverbs_cmd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 01e3a37..d118ffe 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2342,8 +2342,9 @@ ssize_t ib_uverbs_modify_qp(struct ib_uverbs_file *file, if (copy_from_user(&cmd, buf, sizeof cmd)) return -EFAULT; - if (cmd.port_num < rdma_start_port(ib_dev) || - cmd.port_num > rdma_end_port(ib_dev)) + if ((cmd.attr_mask & IB_QP_PORT) && + (cmd.port_num < rdma_start_port(ib_dev) || + cmd.port_num > rdma_end_port(ib_dev))) return -EINVAL; INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd, -- 1.8.3.1