RDMA/core: Sanitize WQ state received from the userspace

The mlx4 and mlx5 implemented differently the WQ input checks.  Instead of
duplicating mlx4 logic in the mlx5, let's prepare the input in the central
place.

The mlx5 implementation didn't check for validity of state input.  It is
not real bug because our FW checked that, but still worth to fix.

Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com
Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index d5e15a8c870d1240dddd17253c40d3fcf24814c1..74ab018a306e408f83b40f34a62f583a478b31e1 100644 (file)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3034,12 +3034,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
        if (!wq)
                return -EINVAL;
 
-       wq_attr.curr_wq_state = cmd.curr_wq_state;
-       wq_attr.wq_state = cmd.wq_state;
        if (cmd.attr_mask & IB_WQ_FLAGS) {
                wq_attr.flags = cmd.flags;
                wq_attr.flags_mask = cmd.flags_mask;
        }
+
+       if (cmd.attr_mask & IB_WQ_CUR_STATE) {
+               if (cmd.curr_wq_state > IB_WQS_ERR)
+                       return -EINVAL;
+
+               wq_attr.curr_wq_state = cmd.curr_wq_state;
+       } else {
+               wq_attr.curr_wq_state = wq->state;
+       }
+
+       if (cmd.attr_mask & IB_WQ_STATE) {
+               if (cmd.wq_state > IB_WQS_ERR)
+                       return -EINVAL;
+
+               wq_attr.wq_state = cmd.wq_state;
+       } else {
+               wq_attr.wq_state = wq_attr.curr_wq_state;
+       }
+
        ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
                                        &attrs->driver_udata);
        rdma_lookup_put_uobject(&wq->uobject->uevent.uobject,

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 92ddbcc00eb2a51672cf7dd7287e626a5296db6d..2ae22bf50016ab8504d4ac9044c631a0aa51c30e 100644 (file)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -4251,13 +4251,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
        if (wq_attr_mask & IB_WQ_FLAGS)
                return -EOPNOTSUPP;
 
-       cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state :
-                                                    ibwq->state;
-       new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
-
-       if (cur_state  < IB_WQS_RESET || cur_state  > IB_WQS_ERR ||
-           new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
-               return -EINVAL;
+       cur_state = wq_attr->curr_wq_state;
+       new_state = wq_attr->wq_state;
 
        if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
                return -EINVAL;

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 08491bdf62c7ad43effbb6ad57dc560dc8bc5084..8dd953af323ea50b4b00809a99d5bc8b606dd3a9 100644 (file)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -5318,10 +5318,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
 
        rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
 
-       curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ?
-               wq_attr->curr_wq_state : wq->state;
-       wq_state = (wq_attr_mask & IB_WQ_STATE) ?
-               wq_attr->wq_state : curr_wq_state;
+       curr_wq_state = wq_attr->curr_wq_state;
+       wq_state = wq_attr->wq_state;
        if (curr_wq_state == IB_WQS_ERR)
                curr_wq_state = MLX5_RQC_STATE_ERR;
        if (wq_state == IB_WQS_ERR)