[14/20] Addresses an issue with hardened user copy

Message ID	20200815045912.8626-15-rpearson@hpe.com (mailing list archive)
State	Changes Requested
Delegated to:	Jason Gunthorpe
Headers	show Return-Path: <SRS0=W1Yx=BZ=vger.kernel.org=linux-rdma-owner@kernel.org> From: Bob Pearson <rpearsonhpe@gmail.com> To: linux-rdma@vger.kernel.org Cc: Bob Pearson <rpearson@hpe.com> Subject: [PATCH 14/20] Addresses an issue with hardened user copy Date: Fri, 14 Aug 2020 23:58:38 -0500 Message-Id: <20200815045912.8626-15-rpearson@hpe.com> In-Reply-To: <20200815045912.8626-1-rpearson@hpe.com> References: <20200815045912.8626-1-rpearson@hpe.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk
Series	[01/20] Added ib_uverbs_wc_opcode to ib_user_verbs.h \| expand [01/20] Added ib_uverbs_wc_opcode to ib_user_verbs.h [02/20] Added missing IB_WR_BIND_MW opcode [03/20] Added bind_mw parameters to rxe_send_wr. [04/20] Added stubs for alloc_mw and dealloc_mw verbs. [05/20] Separated MR and MW objects. [06/20] Added a basic rxe_mw struct [07/20] Implemented functional alloc_mw and dealloc_mw APIs [08/20] Added a stubbed bind_mw API. [09/20] Fixed error logic in rxe_req.c [10/20] Extended pools to support both keys and indices [11/20] Gave MRs and MWs both keys and indices [12/20] Cleanup after git pull [13/20] add debug print statements [14/20] Addresses an issue with hardened user copy [15/20] Fixed a dumb bug [16/20] Implemented stubbed invalidate APIs [17/20] Implemented functional invalidate APIs [18/20] cleanup [19/20] fixed white space issues [20/20] fixed checkpatch issues for all files in rxe

Message ID

20200815045912.8626-15-rpearson@hpe.com (mailing list archive)

State

Changes Requested

Delegated to:

Jason Gunthorpe

Headers

From: Bob Pearson <rpearsonhpe@gmail.com>
To: linux-rdma@vger.kernel.org
Cc: Bob Pearson <rpearson@hpe.com>
Subject: [PATCH 14/20] Addresses an issue with hardened user copy
Date: Fri, 14 Aug 2020 23:58:38 -0500
Message-Id: <20200815045912.8626-15-rpearson@hpe.com>
In-Reply-To: <20200815045912.8626-1-rpearson@hpe.com>
References: <20200815045912.8626-1-rpearson@hpe.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk

Series

[01/20] Added ib_uverbs_wc_opcode to ib_user_verbs.h | expand

Commit Message

Bob Pearson Aug. 15, 2020, 4:58 a.m. UTC

Copying to user space from the stack instead of slab cache cured
a kernel oops that was toubling me.A

Signed-off-by: Bob Pearson <rpearson@hpe.com>
---
 drivers/infiniband/core/uverbs_std_types_qp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c
index 3bf8dcdfe7eb..2f8b14003b95 100644
--- a/drivers/infiniband/core/uverbs_std_types_qp.c
+++ b/drivers/infiniband/core/uverbs_std_types_qp.c
@@ -98,6 +98,7 @@  static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
 	struct ib_device *device;
 	u64 user_handle;
 	int ret;
+	int qp_num;
 
 	ret = uverbs_copy_from_or_zero(&cap, attrs,
 			       UVERBS_ATTR_CREATE_QP_CAP);
@@ -293,9 +294,10 @@  static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
 	if (ret)
 		return ret;
 
+	/* copy from stack to avoid whitelisting issues */
+	qp_num = qp->qp_num;
 	ret = uverbs_copy_to(attrs, UVERBS_ATTR_CREATE_QP_RESP_QP_NUM,
-			     &qp->qp_num,
-			     sizeof(qp->qp_num));
+			     &qp_num, sizeof(qp_num));
 
 	return ret;
 err_put:

[14/20] Addresses an issue with hardened user copy

Commit Message

Patch