IB/mlx4: Sanity check userspace send queue sizes

Tue, 23 Oct 2007 10:07:05 -0700 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=839041329fd3410e07d614f81e75bb43367d8f89
Commit:     839041329fd3410e07d614f81e75bb43367d8f89
Parent:     fd312561adcc90e924f35d3032d5493aeb4c3017
Author:     Jack Morgenstein <[EMAIL PROTECTED]>
AuthorDate: Thu Oct 18 17:36:43 2007 +0200
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Thu Oct 18 09:27:26 2007 -0700

    IB/mlx4: Sanity check userspace send queue sizes
    
    Add sanity checks to send queue sizes passed in from userspace. The
    minimum sq stride value below is taken from the MT25408 PRM (section
    11.10, Table 306, log_sq_stride definition).
    
    Without this check, userspace can submit arbitrarily large/small
    values for the number of WQEs and the stride, which can crash the
    kernel.
    
    Signed-off-by: Jack Morgenstein <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
---
 drivers/infiniband/hw/mlx4/qp.c |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 31a480e..6b33224 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -63,6 +63,10 @@ struct mlx4_ib_sqp {
        u8                      header_buf[MLX4_IB_UD_HEADER_SIZE];
 };
 
+enum {
+       MLX4_IB_MIN_SQ_STRIDE = 6
+};
+
 static const __be32 mlx4_ib_opcode[] = {
        [IB_WR_SEND]                    = 
__constant_cpu_to_be32(MLX4_OPCODE_SEND),
        [IB_WR_SEND_WITH_IMM]           = 
__constant_cpu_to_be32(MLX4_OPCODE_SEND_IMM),
@@ -285,9 +289,17 @@ static int set_kernel_sq_size(struct mlx4_ib_dev *dev, 
struct ib_qp_cap *cap,
        return 0;
 }
 
-static int set_user_sq_size(struct mlx4_ib_qp *qp,
+static int set_user_sq_size(struct mlx4_ib_dev *dev,
+                           struct mlx4_ib_qp *qp,
                            struct mlx4_ib_create_qp *ucmd)
 {
+       /* Sanity check SQ size before proceeding */
+       if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes       ||
+           ucmd->log_sq_stride >
+               ilog2(roundup_pow_of_two(dev->dev->caps.max_sq_desc_sz)) ||
+           ucmd->log_sq_stride < MLX4_IB_MIN_SQ_STRIDE)
+               return -EINVAL;
+
        qp->sq.wqe_cnt   = 1 << ucmd->log_sq_bb_count;
        qp->sq.wqe_shift = ucmd->log_sq_stride;
 
@@ -330,7 +342,7 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct 
ib_pd *pd,
 
                qp->sq_no_prefetch = ucmd.sq_no_prefetch;
 
-               err = set_user_sq_size(qp, &ucmd);
+               err = set_user_sq_size(dev, qp, &ucmd);
                if (err)
                        goto err;
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to