From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Roland Dreier <roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Liran Liss <liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Sagi Grimberg <sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Majd Dibbiny <majd-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Jerome Glisse <j.glisse-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Eli Cohen <eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>,
Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH v3 06/17] IB/core: Add support for extended query device caps
Date: Tue, 16 Dec 2014 13:33:56 +0100 [thread overview]
Message-ID: <1418733236.2779.26.camel@opteya.com> (raw)
In-Reply-To: <1418310266-9584-7-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Le jeudi 11 décembre 2014 à 17:04 +0200, Haggai Eran a écrit :
> From: Eli Cohen <eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
>
> Add extensible query device capabilities verb to allow adding new features.
> ib_uverbs_ex_query_device is added and copy_query_dev_fields is used to copy
> capability fields to be used by both ib_uverbs_query_device and
> ib_uverbs_ex_query_device.
>
> Signed-off-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> Signed-off-by: Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> ---
> drivers/infiniband/core/uverbs.h | 1 +
> drivers/infiniband/core/uverbs_cmd.c | 124 +++++++++++++++++++++++-----------
> drivers/infiniband/core/uverbs_main.c | 3 +-
> include/rdma/ib_verbs.h | 5 +-
> include/uapi/rdma/ib_user_verbs.h | 14 +++-
> 5 files changed, 103 insertions(+), 44 deletions(-)
>
> diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
> index 643c08a025a5..b716b0815644 100644
> --- a/drivers/infiniband/core/uverbs.h
> +++ b/drivers/infiniband/core/uverbs.h
> @@ -258,5 +258,6 @@ IB_UVERBS_DECLARE_CMD(close_xrcd);
>
> IB_UVERBS_DECLARE_EX_CMD(create_flow);
> IB_UVERBS_DECLARE_EX_CMD(destroy_flow);
> +IB_UVERBS_DECLARE_EX_CMD(query_device);
>
> #endif /* UVERBS_H */
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index 5ba2a86aab6a..c7a43624c96b 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -378,6 +378,52 @@ err:
> return ret;
> }
>
> +static void copy_query_dev_fields(struct ib_uverbs_file *file,
> + struct ib_uverbs_query_device_resp *resp,
> + struct ib_device_attr *attr)
> +{
> + resp->fw_ver = attr->fw_ver;
> + resp->node_guid = file->device->ib_dev->node_guid;
> + resp->sys_image_guid = attr->sys_image_guid;
> + resp->max_mr_size = attr->max_mr_size;
> + resp->page_size_cap = attr->page_size_cap;
> + resp->vendor_id = attr->vendor_id;
> + resp->vendor_part_id = attr->vendor_part_id;
> + resp->hw_ver = attr->hw_ver;
> + resp->max_qp = attr->max_qp;
> + resp->max_qp_wr = attr->max_qp_wr;
> + resp->device_cap_flags = attr->device_cap_flags;
> + resp->max_sge = attr->max_sge;
> + resp->max_sge_rd = attr->max_sge_rd;
> + resp->max_cq = attr->max_cq;
> + resp->max_cqe = attr->max_cqe;
> + resp->max_mr = attr->max_mr;
> + resp->max_pd = attr->max_pd;
> + resp->max_qp_rd_atom = attr->max_qp_rd_atom;
> + resp->max_ee_rd_atom = attr->max_ee_rd_atom;
> + resp->max_res_rd_atom = attr->max_res_rd_atom;
> + resp->max_qp_init_rd_atom = attr->max_qp_init_rd_atom;
> + resp->max_ee_init_rd_atom = attr->max_ee_init_rd_atom;
> + resp->atomic_cap = attr->atomic_cap;
> + resp->max_ee = attr->max_ee;
> + resp->max_rdd = attr->max_rdd;
> + resp->max_mw = attr->max_mw;
> + resp->max_raw_ipv6_qp = attr->max_raw_ipv6_qp;
> + resp->max_raw_ethy_qp = attr->max_raw_ethy_qp;
> + resp->max_mcast_grp = attr->max_mcast_grp;
> + resp->max_mcast_qp_attach = attr->max_mcast_qp_attach;
> + resp->max_total_mcast_qp_attach = attr->max_total_mcast_qp_attach;
> + resp->max_ah = attr->max_ah;
> + resp->max_fmr = attr->max_fmr;
> + resp->max_map_per_fmr = attr->max_map_per_fmr;
> + resp->max_srq = attr->max_srq;
> + resp->max_srq_wr = attr->max_srq_wr;
> + resp->max_srq_sge = attr->max_srq_sge;
> + resp->max_pkeys = attr->max_pkeys;
> + resp->local_ca_ack_delay = attr->local_ca_ack_delay;
> + resp->phys_port_cnt = file->device->ib_dev->phys_port_cnt;
> +}
> +
> ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
> const char __user *buf,
> int in_len, int out_len)
> @@ -398,47 +444,7 @@ ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
> return ret;
>
> memset(&resp, 0, sizeof resp);
> -
> - resp.fw_ver = attr.fw_ver;
> - resp.node_guid = file->device->ib_dev->node_guid;
> - resp.sys_image_guid = attr.sys_image_guid;
> - resp.max_mr_size = attr.max_mr_size;
> - resp.page_size_cap = attr.page_size_cap;
> - resp.vendor_id = attr.vendor_id;
> - resp.vendor_part_id = attr.vendor_part_id;
> - resp.hw_ver = attr.hw_ver;
> - resp.max_qp = attr.max_qp;
> - resp.max_qp_wr = attr.max_qp_wr;
> - resp.device_cap_flags = attr.device_cap_flags;
> - resp.max_sge = attr.max_sge;
> - resp.max_sge_rd = attr.max_sge_rd;
> - resp.max_cq = attr.max_cq;
> - resp.max_cqe = attr.max_cqe;
> - resp.max_mr = attr.max_mr;
> - resp.max_pd = attr.max_pd;
> - resp.max_qp_rd_atom = attr.max_qp_rd_atom;
> - resp.max_ee_rd_atom = attr.max_ee_rd_atom;
> - resp.max_res_rd_atom = attr.max_res_rd_atom;
> - resp.max_qp_init_rd_atom = attr.max_qp_init_rd_atom;
> - resp.max_ee_init_rd_atom = attr.max_ee_init_rd_atom;
> - resp.atomic_cap = attr.atomic_cap;
> - resp.max_ee = attr.max_ee;
> - resp.max_rdd = attr.max_rdd;
> - resp.max_mw = attr.max_mw;
> - resp.max_raw_ipv6_qp = attr.max_raw_ipv6_qp;
> - resp.max_raw_ethy_qp = attr.max_raw_ethy_qp;
> - resp.max_mcast_grp = attr.max_mcast_grp;
> - resp.max_mcast_qp_attach = attr.max_mcast_qp_attach;
> - resp.max_total_mcast_qp_attach = attr.max_total_mcast_qp_attach;
> - resp.max_ah = attr.max_ah;
> - resp.max_fmr = attr.max_fmr;
> - resp.max_map_per_fmr = attr.max_map_per_fmr;
> - resp.max_srq = attr.max_srq;
> - resp.max_srq_wr = attr.max_srq_wr;
> - resp.max_srq_sge = attr.max_srq_sge;
> - resp.max_pkeys = attr.max_pkeys;
> - resp.local_ca_ack_delay = attr.local_ca_ack_delay;
> - resp.phys_port_cnt = file->device->ib_dev->phys_port_cnt;
> + copy_query_dev_fields(file, &resp, &attr);
>
> if (copy_to_user((void __user *) (unsigned long) cmd.response,
> &resp, sizeof resp))
> @@ -3253,3 +3259,39 @@ ssize_t ib_uverbs_destroy_srq(struct ib_uverbs_file *file,
>
> return ret ? ret : in_len;
> }
> +
> +int ib_uverbs_ex_query_device(struct ib_uverbs_file *file,
> + struct ib_udata *ucore,
> + struct ib_udata *uhw)
> +{
> + struct ib_uverbs_ex_query_device_resp resp;
> + struct ib_uverbs_ex_query_device cmd;
> + struct ib_device_attr attr;
> + struct ib_device *device;
> + int err;
> +
> + device = file->device->ib_dev;
> + if (ucore->inlen < sizeof(cmd))
> + return -EINVAL;
> +
> + err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
> + if (err)
> + return err;
> +
> + if (cmd.reserved)
> + return -EINVAL;
> +
> + err = device->query_device(device, &attr);
> + if (err)
> + return err;
> +
> + memset(&resp, 0, sizeof(resp));
> + copy_query_dev_fields(file, &resp.base, &attr);
> + resp.comp_mask = 0;
> +
> + err = ib_copy_to_udata(ucore, &resp, sizeof(resp));
> + if (err)
> + return err;
> +
> + return 0;
> +}
> diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
> index 71ab83fde472..974025028790 100644
> --- a/drivers/infiniband/core/uverbs_main.c
> +++ b/drivers/infiniband/core/uverbs_main.c
> @@ -122,7 +122,8 @@ static int (*uverbs_ex_cmd_table[])(struct ib_uverbs_file *file,
> struct ib_udata *ucore,
> struct ib_udata *uhw) = {
> [IB_USER_VERBS_EX_CMD_CREATE_FLOW] = ib_uverbs_ex_create_flow,
> - [IB_USER_VERBS_EX_CMD_DESTROY_FLOW] = ib_uverbs_ex_destroy_flow
> + [IB_USER_VERBS_EX_CMD_DESTROY_FLOW] = ib_uverbs_ex_destroy_flow,
> + [IB_USER_VERBS_EX_CMD_QUERY_DEVICE] = ib_uverbs_ex_query_device
> };
>
> static void ib_uverbs_add_one(struct ib_device *device);
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index 470a011d6fa4..97a999f9e4d8 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1662,7 +1662,10 @@ static inline int ib_copy_from_udata(void *dest, struct ib_udata *udata, size_t
>
> static inline int ib_copy_to_udata(struct ib_udata *udata, void *src, size_t len)
> {
> - return copy_to_user(udata->outbuf, src, len) ? -EFAULT : 0;
> + size_t copy_sz;
> +
> + copy_sz = min_t(size_t, len, udata->outlen);
> + return copy_to_user(udata->outbuf, src, copy_sz) ? -EFAULT : 0;
> }
This is not the place to do this: as I'm guessing the purpose of this
change from the patch in '[PATCH v3 07/17] IB/core: Add flags for on
demand paging support', you're trying to handle uverbs call from
a userspace program using a previous, shorter ABI.
But that's hidding bug where userspace will get it wrong at passing the
correct buffer / size for all others uverb calls.
That cannot work that way.
In a previous patchset [1], I've suggested to add a check in
ib_copy_{from,to}_udata()[2][3] in order to check the input/output
buffer size to not read/write past userspace provided buffer
boundaries: in case of mismatch an error would be returned to
userspace.
With the suggested change here, buffer overflow won't happen,
but the error is silently ignored, allowing uverb to return a
partial result, which is likely not expected by userspace as
it's a bit difficult to handle it gracefully.
So this has to be removed, and a check on userspace response
buffer must be added to ib_uverbs_ex_query_device() instead.
[1] "[PATCH 00/22] infiniband: improve userspace input check"
http://marc.info/?i=cover.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
http://mid.gmane.org/cover.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
[2] "[PATCH 03/22] infiniband: ib_copy_from_udata(): check input length"
http://mid.gmane.org/2bf102a41c51f61965ee09df827abe8fefb523a9.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
[3] "[PATCH 04/22] infiniband: ib_copy_to_udata(): check output length"
http://mid.gmane.org/d27716a3a1c180f832d153a7402f65ea8a75b734.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Regards.
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-12-16 12:33 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-11 15:04 [PATCH v3 00/17] On demand paging Haggai Eran
[not found] ` <1418310266-9584-1-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-11 15:04 ` [PATCH v3 01/17] IB/mlx5: Remove per-MR pas and dma pointers Haggai Eran
2014-12-11 15:04 ` [PATCH v3 02/17] IB/mlx5: Enhance UMR support to allow partial page table update Haggai Eran
2014-12-11 15:04 ` [PATCH v3 03/17] IB/core: Replace ib_umem's offset field with a full address Haggai Eran
2014-12-11 15:04 ` [PATCH v3 04/17] IB/core: Add umem function to read data from user-space Haggai Eran
2014-12-11 15:04 ` [PATCH v3 05/17] IB/mlx5: Add function to read WQE " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 06/17] IB/core: Add support for extended query device caps Haggai Eran
[not found] ` <1418310266-9584-7-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-16 12:33 ` Yann Droneaud [this message]
[not found] ` <1418733236.2779.26.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-12-16 17:41 ` Roland Dreier
[not found] ` <CAG4TOxP9OhPigPseCzhUacHADoH2pEdj672V0SVfZuBTjKLHVg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 20:07 ` Or Gerlitz
[not found] ` <CAJ3xEMi+SCakMD=PYamYjqYWb0oCmccLzyR-4+K-fhF1bGfykQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 20:14 ` Yann Droneaud
2015-01-21 10:32 ` Yann Droneaud
[not found] ` <1421836353.13543.7.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-01-21 11:14 ` Haggai Eran
2014-12-17 6:54 ` Haggai Eran
[not found] ` <549128B4.5010301-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-17 14:00 ` Yann Droneaud
2014-12-17 14:12 ` Haggai Eran
[not found] ` <54918F50.7020705-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-01-21 12:50 ` Yann Droneaud
2014-12-11 15:04 ` [PATCH v3 07/17] IB/core: Add flags for on demand paging support Haggai Eran
[not found] ` <1418310266-9584-8-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-16 12:02 ` Yann Droneaud
[not found] ` <1418731378.2779.6.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-12-16 12:13 ` Yann Droneaud
2014-12-11 15:04 ` [PATCH v3 08/17] IB/core: Add support for on demand paging regions Haggai Eran
2014-12-11 15:04 ` [PATCH v3 09/17] IB/core: Implement support for MMU notifiers regarding " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 10/17] net/mlx5_core: Add support for page faults events and low level handling Haggai Eran
2014-12-11 15:04 ` [PATCH v3 11/17] IB/mlx5: Implement the ODP capability query verb Haggai Eran
2014-12-11 15:04 ` [PATCH v3 12/17] IB/mlx5: Changes in memory region creation to support on-demand paging Haggai Eran
2014-12-11 15:04 ` [PATCH v3 13/17] IB/mlx5: Add mlx5_ib_update_mtt to update page tables after creation Haggai Eran
2014-12-11 15:04 ` [PATCH v3 14/17] IB/mlx5: Page faults handling infrastructure Haggai Eran
2014-12-11 15:04 ` [PATCH v3 15/17] IB/mlx5: Handle page faults Haggai Eran
2014-12-11 15:04 ` [PATCH v3 16/17] IB/mlx5: Add support for RDMA read/write responder " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 17/17] IB/mlx5: Implement on demand paging by adding support for MMU notifiers Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418733236.2779.26.camel@opteya.com \
--to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
--cc=eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org \
--cc=eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=j.glisse-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=majd-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.