RDMA/core: Sanitize WQ state received from the userspace

[ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ]

The mlx4 and mlx5 implemented differently the WQ input checks.  Instead of
duplicating mlx4 logic in the mlx5, let's prepare the input in the central
place.

The mlx5 implementation didn't check for validity of state input.  It is
not real bug because our FW checked that, but still worth to fix.

Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com
Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ab55f8b3190eb7ef326141abf6e5fb05871f9976..92ae454d500a60be15c391097369eea867fead4b 100644 (file)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3033,12 +3033,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
        if (!wq)
                return -EINVAL;
 
-       wq_attr.curr_wq_state = cmd.curr_wq_state;
-       wq_attr.wq_state = cmd.wq_state;
        if (cmd.attr_mask & IB_WQ_FLAGS) {
                wq_attr.flags = cmd.flags;
                wq_attr.flags_mask = cmd.flags_mask;
        }
+
+       if (cmd.attr_mask & IB_WQ_CUR_STATE) {
+               if (cmd.curr_wq_state > IB_WQS_ERR)
+                       return -EINVAL;
+
+               wq_attr.curr_wq_state = cmd.curr_wq_state;
+       } else {
+               wq_attr.curr_wq_state = wq->state;
+       }
+
+       if (cmd.attr_mask & IB_WQ_STATE) {
+               if (cmd.wq_state > IB_WQS_ERR)
+                       return -EINVAL;
+
+               wq_attr.wq_state = cmd.wq_state;
+       } else {
+               wq_attr.wq_state = wq_attr.curr_wq_state;
+       }
+
        ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
                                        &attrs->driver_udata);
        rdma_lookup_put_uobject(&wq->uobject->uevent.uobject,

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 651785bd57f2de0c1913fd7924eb36b896cbb378..18a47248e44418e8c3a3652bd56ad829d0345844 100644 (file)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -4254,13 +4254,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
        if (wq_attr_mask & IB_WQ_FLAGS)
                return -EOPNOTSUPP;
 
-       cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state :
-                                                    ibwq->state;
-       new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
-
-       if (cur_state  < IB_WQS_RESET || cur_state  > IB_WQS_ERR ||
-           new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
-               return -EINVAL;
+       cur_state = wq_attr->curr_wq_state;
+       new_state = wq_attr->wq_state;
 
        if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
                return -EINVAL;

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 843f9e7fe96ff57061149e7ef7f0baae9165d259..bcaaf238b364d6353c240464a9f9630fc01be68d 100644 (file)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -5309,10 +5309,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
 
        rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
 
-       curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ?
-               wq_attr->curr_wq_state : wq->state;
-       wq_state = (wq_attr_mask & IB_WQ_STATE) ?
-               wq_attr->wq_state : curr_wq_state;
+       curr_wq_state = wq_attr->curr_wq_state;
+       wq_state = wq_attr->wq_state;
        if (curr_wq_state == IB_WQS_ERR)
                curr_wq_state = MLX5_RQC_STATE_ERR;
        if (wq_state == IB_WQS_ERR)