RDMA/core: Validate the passed in fops for ib_get_ucaps()

Sashiko pointed out it is not safe to rely only on the devt because
char/block alias so if the user finds a block device with the same dev_t
it can masquerade as a ucap cdev fd.

Test the f_ops to only accept authentic cdevs.

Link: https://patch.msgid.link/r/0-v1-fd9482545e37+1e25-ib_ucaps_fd_ops_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/core/ucaps.c b/drivers/infiniband/core/ucaps.c
index 948093260dbda1869079a7fb0056c749235f7d71..5155ff0e538e1829046bee71a53eab970a674970 100644 (file)
--- a/drivers/infiniband/core/ucaps.c
+++ b/drivers/infiniband/core/ucaps.c
@@ -82,14 +82,12 @@ static int get_ucap_from_devt(dev_t devt, u64 *idx_mask)
 
 static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev)
 {
-       struct file *file;
+       CLASS(fd, f)(fd);
 
-       file = fget(fd);
-       if (!file)
+       if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops)
                return -EBADF;
 
-       *ret_dev = file_inode(file)->i_rdev;
-       fput(file);
+       *ret_dev = file_inode(fd_file(f))->i_rdev;
        return 0;
 }