IB/{core, mlx5}: Fix input len in vendor part of create_qp/srq

author Majd Dibbiny <majd@mellanox.com>

Sun, 14 Feb 2016 16:35:52 +0000 (18:35 +0200)

committer Doug Ledford <dledford@redhat.com>

Thu, 3 Mar 2016 15:00:18 +0000 (10:00 -0500)
author Majd Dibbiny <majd@mellanox.com>
Sun, 14 Feb 2016 16:35:52 +0000 (18:35 +0200)
committer Doug Ledford <dledford@redhat.com>
Thu, 3 Mar 2016 15:00:18 +0000 (10:00 -0500)
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c

index 6ffc9c4e93afb4efa27fe6f3c17fc3cdf41d8c21..6c6fbff19752ecbcf2d4822965ff6bb09d7ee656 100644 (file)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1970,7 +1970,8 @@ ssize_t ib_uverbs_create_qp(struct ib_uverbs_file *file,
                    resp_size);
         INIT_UDATA(&uhw, buf + sizeof(cmd),
                    (unsigned long)cmd.response + resp_size,
-                  in_len - sizeof(cmd), out_len - resp_size);
+                  in_len - sizeof(cmd) - sizeof(struct ib_uverbs_cmd_hdr),
+                  out_len - resp_size);
  
         memset(&cmd_ex, 0, sizeof(cmd_ex));
         cmd_ex.user_handle = cmd.user_handle;
@@ -3413,7 +3414,8 @@ ssize_t ib_uverbs_create_srq(struct ib_uverbs_file *file,
  
         INIT_UDATA(&udata, buf + sizeof cmd,
                    (unsigned long) cmd.response + sizeof resp,
-                  in_len - sizeof cmd, out_len - sizeof resp);
+                  in_len - sizeof cmd - sizeof(struct ib_uverbs_cmd_hdr),
+                  out_len - sizeof resp);
  
         ret = __uverbs_create_xsrq(file, ib_dev, &xcmd, &udata);
         if (ret)
@@ -3439,7 +3441,8 @@ ssize_t ib_uverbs_create_xsrq(struct ib_uverbs_file *file,
  
         INIT_UDATA(&udata, buf + sizeof cmd,
                    (unsigned long) cmd.response + sizeof resp,
-                  in_len - sizeof cmd, out_len - sizeof resp);
+                  in_len - sizeof cmd - sizeof(struct ib_uverbs_cmd_hdr),
+                  out_len - sizeof resp);
  
         ret = __uverbs_create_xsrq(file, ib_dev, &cmd, &udata);
         if (ret)
diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c

index a1b7122c2ad6fca225ed015d43da4e667a88c374..3b2ddd64a371689e1533cb08c23007a4d6016b03 100644 (file)
--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -88,13 +88,8 @@ static int create_srq_user(struct ib_pd *pd, struct mlx5_ib_srq *srq,
         int ncont;
         u32 offset;
         u32 uidx = MLX5_IB_DEFAULT_UIDX;
-       int drv_data = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr);
  
-       if (drv_data < 0)
-               return -EINVAL;
-
-       ucmdlen = (drv_data < sizeof(ucmd)) ?
-                 drv_data : sizeof(ucmd);
+       ucmdlen = min(udata->inlen, sizeof(ucmd));
  
         if (ib_copy_from_udata(&ucmd, udata, ucmdlen)) {
                 mlx5_ib_dbg(dev, "failed copy udata\n");
@@ -104,9 +99,9 @@ static int create_srq_user(struct ib_pd *pd, struct mlx5_ib_srq *srq,
         if (ucmd.reserved0 || ucmd.reserved1)
                 return -EINVAL;
  
-       if (drv_data > sizeof(ucmd) &&
+       if (udata->inlen > sizeof(ucmd) &&
             !ib_is_udata_cleared(udata, sizeof(ucmd),
-                                drv_data - sizeof(ucmd)))
+                                udata->inlen - sizeof(ucmd)))
                 return -EINVAL;
  
         if (is_xrc) {
author	Majd Dibbiny <majd@mellanox.com>
	Sun, 14 Feb 2016 16:35:52 +0000 (18:35 +0200)
committer	Doug Ledford <dledford@redhat.com>
	Thu, 3 Mar 2016 15:00:18 +0000 (10:00 -0500)
drivers/infiniband/core/uverbs_cmd.c		patch \| blob \| history
drivers/infiniband/hw/mlx5/srq.c		patch \| blob \| history