review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Wenpeng Liang <liangwenpeng@huawei.com>
	Fri, 11 Dec 2020 01:37:27 +0000 (09:37 +0800)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Fri, 11 Dec 2020 19:21:33 +0000 (15:21 -0400)
commit	1c0ca9cd1741687f529498ddb899805fc2c51caa
tree	56e09de77be176567297cd61b651c479c53cf431	tree \| snapshot
parent	6f320f6990ee2dd13df89707f1a219ecfe2960ad	commit \| diff

RDMA/hns: Limit the length of data copied between kernel and userspace

For ib_copy_from_user(), the length of udata may not be the same as that
of cmd. For ib_copy_to_user(), the length of udata may not be the same as
that of resp. So limit the length to prevent out-of-bounds read and write
operations from ib_copy_from_user() and ib_copy_to_user().

Fixes: de77503a5940 ("RDMA/hns: RDMA/hns: Assign rq head pointer when enable rq record db")
Fixes: 633fb4d9fdaa ("RDMA/hns: Use structs to describe the uABI instead of opencoding")
Fixes: ae85bf92effc ("RDMA/hns: Optimize qp param setup flow")
Fixes: 6fd610c5733d ("RDMA/hns: Support 0 hop addressing for SRQ buffer")
Fixes: 9d9d4ff78884 ("RDMA/hns: Update the kernel header file of hns")
Link: https://lore.kernel.org/r/1607650657-35992-2-git-send-email-liweihang@huawei.com
Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
Signed-off-by: Weihang Li <liweihang@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

drivers/infiniband/hw/hns/hns_roce_cq.c		diff \| blob \| history
drivers/infiniband/hw/hns/hns_roce_main.c		diff \| blob \| history
drivers/infiniband/hw/hns/hns_roce_pd.c		diff \| blob \| history
drivers/infiniband/hw/hns/hns_roce_qp.c		diff \| blob \| history
drivers/infiniband/hw/hns/hns_roce_srq.c		diff \| blob \| history