From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Roland Dreier <roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Liran Liss <liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Sagi Grimberg <sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Majd Dibbiny <majd-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Jerome Glisse <j.glisse-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Eli Cohen <eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>,
Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH v3 06/17] IB/core: Add support for extended query device caps
Date: Tue, 16 Dec 2014 13:33:56 +0100 [thread overview]
Message-ID: <1418733236.2779.26.camel@opteya.com> (raw)
In-Reply-To: <1418310266-9584-7-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Le jeudi 11 décembre 2014 à 17:04 +0200, Haggai Eran a écrit :
> From: Eli Cohen <eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
>
> Add extensible query device capabilities verb to allow adding new features.
> ib_uverbs_ex_query_device is added and copy_query_dev_fields is used to copy
> capability fields to be used by both ib_uverbs_query_device and
> ib_uverbs_ex_query_device.
>
> Signed-off-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> Signed-off-by: Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> ---
> drivers/infiniband/core/uverbs.h | 1 +
> drivers/infiniband/core/uverbs_cmd.c | 124 +++++++++++++++++++++++-----------
> drivers/infiniband/core/uverbs_main.c | 3 +-
> include/rdma/ib_verbs.h | 5 +-
> include/uapi/rdma/ib_user_verbs.h | 14 +++-
> 5 files changed, 103 insertions(+), 44 deletions(-)
>
> diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
> index 643c08a025a5..b716b0815644 100644
> --- a/drivers/infiniband/core/uverbs.h
> +++ b/drivers/infiniband/core/uverbs.h
> @@ -258,5 +258,6 @@ IB_UVERBS_DECLARE_CMD(close_xrcd);
>
> IB_UVERBS_DECLARE_EX_CMD(create_flow);
> IB_UVERBS_DECLARE_EX_CMD(destroy_flow);
> +IB_UVERBS_DECLARE_EX_CMD(query_device);
>
> #endif /* UVERBS_H */
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index 5ba2a86aab6a..c7a43624c96b 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -378,6 +378,52 @@ err:
> return ret;
> }
>
> +static void copy_query_dev_fields(struct ib_uverbs_file *file,
> + struct ib_uverbs_query_device_resp *resp,
> + struct ib_device_attr *attr)
> +{
> + resp->fw_ver = attr->fw_ver;
> + resp->node_guid = file->device->ib_dev->node_guid;
> + resp->sys_image_guid = attr->sys_image_guid;
> + resp->max_mr_size = attr->max_mr_size;
> + resp->page_size_cap = attr->page_size_cap;
> + resp->vendor_id = attr->vendor_id;
> + resp->vendor_part_id = attr->vendor_part_id;
> + resp->hw_ver = attr->hw_ver;
> + resp->max_qp = attr->max_qp;
> + resp->max_qp_wr = attr->max_qp_wr;
> + resp->device_cap_flags = attr->device_cap_flags;
> + resp->max_sge = attr->max_sge;
> + resp->max_sge_rd = attr->max_sge_rd;
> + resp->max_cq = attr->max_cq;
> + resp->max_cqe = attr->max_cqe;
> + resp->max_mr = attr->max_mr;
> + resp->max_pd = attr->max_pd;
> + resp->max_qp_rd_atom = attr->max_qp_rd_atom;
> + resp->max_ee_rd_atom = attr->max_ee_rd_atom;
> + resp->max_res_rd_atom = attr->max_res_rd_atom;
> + resp->max_qp_init_rd_atom = attr->max_qp_init_rd_atom;
> + resp->max_ee_init_rd_atom = attr->max_ee_init_rd_atom;
> + resp->atomic_cap = attr->atomic_cap;
> + resp->max_ee = attr->max_ee;
> + resp->max_rdd = attr->max_rdd;
> + resp->max_mw = attr->max_mw;
> + resp->max_raw_ipv6_qp = attr->max_raw_ipv6_qp;
> + resp->max_raw_ethy_qp = attr->max_raw_ethy_qp;
> + resp->max_mcast_grp = attr->max_mcast_grp;
> + resp->max_mcast_qp_attach = attr->max_mcast_qp_attach;
> + resp->max_total_mcast_qp_attach = attr->max_total_mcast_qp_attach;
> + resp->max_ah = attr->max_ah;
> + resp->max_fmr = attr->max_fmr;
> + resp->max_map_per_fmr = attr->max_map_per_fmr;
> + resp->max_srq = attr->max_srq;
> + resp->max_srq_wr = attr->max_srq_wr;
> + resp->max_srq_sge = attr->max_srq_sge;
> + resp->max_pkeys = attr->max_pkeys;
> + resp->local_ca_ack_delay = attr->local_ca_ack_delay;
> + resp->phys_port_cnt = file->device->ib_dev->phys_port_cnt;
> +}
> +
> ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
> const char __user *buf,
> int in_len, int out_len)
> @@ -398,47 +444,7 @@ ssize_t ib_uverbs_query_device(struct ib_uverbs_file *file,
> return ret;
>
> memset(&resp, 0, sizeof resp);
> -
> - resp.fw_ver = attr.fw_ver;
> - resp.node_guid = file->device->ib_dev->node_guid;
> - resp.sys_image_guid = attr.sys_image_guid;
> - resp.max_mr_size = attr.max_mr_size;
> - resp.page_size_cap = attr.page_size_cap;
> - resp.vendor_id = attr.vendor_id;
> - resp.vendor_part_id = attr.vendor_part_id;
> - resp.hw_ver = attr.hw_ver;
> - resp.max_qp = attr.max_qp;
> - resp.max_qp_wr = attr.max_qp_wr;
> - resp.device_cap_flags = attr.device_cap_flags;
> - resp.max_sge = attr.max_sge;
> - resp.max_sge_rd = attr.max_sge_rd;
> - resp.max_cq = attr.max_cq;
> - resp.max_cqe = attr.max_cqe;
> - resp.max_mr = attr.max_mr;
> - resp.max_pd = attr.max_pd;
> - resp.max_qp_rd_atom = attr.max_qp_rd_atom;
> - resp.max_ee_rd_atom = attr.max_ee_rd_atom;
> - resp.max_res_rd_atom = attr.max_res_rd_atom;
> - resp.max_qp_init_rd_atom = attr.max_qp_init_rd_atom;
> - resp.max_ee_init_rd_atom = attr.max_ee_init_rd_atom;
> - resp.atomic_cap = attr.atomic_cap;
> - resp.max_ee = attr.max_ee;
> - resp.max_rdd = attr.max_rdd;
> - resp.max_mw = attr.max_mw;
> - resp.max_raw_ipv6_qp = attr.max_raw_ipv6_qp;
> - resp.max_raw_ethy_qp = attr.max_raw_ethy_qp;
> - resp.max_mcast_grp = attr.max_mcast_grp;
> - resp.max_mcast_qp_attach = attr.max_mcast_qp_attach;
> - resp.max_total_mcast_qp_attach = attr.max_total_mcast_qp_attach;
> - resp.max_ah = attr.max_ah;
> - resp.max_fmr = attr.max_fmr;
> - resp.max_map_per_fmr = attr.max_map_per_fmr;
> - resp.max_srq = attr.max_srq;
> - resp.max_srq_wr = attr.max_srq_wr;
> - resp.max_srq_sge = attr.max_srq_sge;
> - resp.max_pkeys = attr.max_pkeys;
> - resp.local_ca_ack_delay = attr.local_ca_ack_delay;
> - resp.phys_port_cnt = file->device->ib_dev->phys_port_cnt;
> + copy_query_dev_fields(file, &resp, &attr);
>
> if (copy_to_user((void __user *) (unsigned long) cmd.response,
> &resp, sizeof resp))
> @@ -3253,3 +3259,39 @@ ssize_t ib_uverbs_destroy_srq(struct ib_uverbs_file *file,
>
> return ret ? ret : in_len;
> }
> +
> +int ib_uverbs_ex_query_device(struct ib_uverbs_file *file,
> + struct ib_udata *ucore,
> + struct ib_udata *uhw)
> +{
> + struct ib_uverbs_ex_query_device_resp resp;
> + struct ib_uverbs_ex_query_device cmd;
> + struct ib_device_attr attr;
> + struct ib_device *device;
> + int err;
> +
> + device = file->device->ib_dev;
> + if (ucore->inlen < sizeof(cmd))
> + return -EINVAL;
> +
> + err = ib_copy_from_udata(&cmd, ucore, sizeof(cmd));
> + if (err)
> + return err;
> +
> + if (cmd.reserved)
> + return -EINVAL;
> +
> + err = device->query_device(device, &attr);
> + if (err)
> + return err;
> +
> + memset(&resp, 0, sizeof(resp));
> + copy_query_dev_fields(file, &resp.base, &attr);
> + resp.comp_mask = 0;
> +
> + err = ib_copy_to_udata(ucore, &resp, sizeof(resp));
> + if (err)
> + return err;
> +
> + return 0;
> +}
> diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
> index 71ab83fde472..974025028790 100644
> --- a/drivers/infiniband/core/uverbs_main.c
> +++ b/drivers/infiniband/core/uverbs_main.c
> @@ -122,7 +122,8 @@ static int (*uverbs_ex_cmd_table[])(struct ib_uverbs_file *file,
> struct ib_udata *ucore,
> struct ib_udata *uhw) = {
> [IB_USER_VERBS_EX_CMD_CREATE_FLOW] = ib_uverbs_ex_create_flow,
> - [IB_USER_VERBS_EX_CMD_DESTROY_FLOW] = ib_uverbs_ex_destroy_flow
> + [IB_USER_VERBS_EX_CMD_DESTROY_FLOW] = ib_uverbs_ex_destroy_flow,
> + [IB_USER_VERBS_EX_CMD_QUERY_DEVICE] = ib_uverbs_ex_query_device
> };
>
> static void ib_uverbs_add_one(struct ib_device *device);
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index 470a011d6fa4..97a999f9e4d8 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1662,7 +1662,10 @@ static inline int ib_copy_from_udata(void *dest, struct ib_udata *udata, size_t
>
> static inline int ib_copy_to_udata(struct ib_udata *udata, void *src, size_t len)
> {
> - return copy_to_user(udata->outbuf, src, len) ? -EFAULT : 0;
> + size_t copy_sz;
> +
> + copy_sz = min_t(size_t, len, udata->outlen);
> + return copy_to_user(udata->outbuf, src, copy_sz) ? -EFAULT : 0;
> }
This is not the place to do this: as I'm guessing the purpose of this
change from the patch in '[PATCH v3 07/17] IB/core: Add flags for on
demand paging support', you're trying to handle uverbs call from
a userspace program using a previous, shorter ABI.
But that's hidding bug where userspace will get it wrong at passing the
correct buffer / size for all others uverb calls.
That cannot work that way.
In a previous patchset [1], I've suggested to add a check in
ib_copy_{from,to}_udata()[2][3] in order to check the input/output
buffer size to not read/write past userspace provided buffer
boundaries: in case of mismatch an error would be returned to
userspace.
With the suggested change here, buffer overflow won't happen,
but the error is silently ignored, allowing uverb to return a
partial result, which is likely not expected by userspace as
it's a bit difficult to handle it gracefully.
So this has to be removed, and a check on userspace response
buffer must be added to ib_uverbs_ex_query_device() instead.
[1] "[PATCH 00/22] infiniband: improve userspace input check"
http://marc.info/?i=cover.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
http://mid.gmane.org/cover.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
[2] "[PATCH 03/22] infiniband: ib_copy_from_udata(): check input length"
http://mid.gmane.org/2bf102a41c51f61965ee09df827abe8fefb523a9.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
[3] "[PATCH 04/22] infiniband: ib_copy_to_udata(): check output length"
http://mid.gmane.org/d27716a3a1c180f832d153a7402f65ea8a75b734.1376847403.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Regards.
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-12-16 12:33 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-11 15:04 [PATCH v3 00/17] On demand paging Haggai Eran
[not found] ` <1418310266-9584-1-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-11 15:04 ` [PATCH v3 01/17] IB/mlx5: Remove per-MR pas and dma pointers Haggai Eran
2014-12-11 15:04 ` [PATCH v3 02/17] IB/mlx5: Enhance UMR support to allow partial page table update Haggai Eran
2014-12-11 15:04 ` [PATCH v3 03/17] IB/core: Replace ib_umem's offset field with a full address Haggai Eran
2014-12-11 15:04 ` [PATCH v3 04/17] IB/core: Add umem function to read data from user-space Haggai Eran
2014-12-11 15:04 ` [PATCH v3 05/17] IB/mlx5: Add function to read WQE " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 06/17] IB/core: Add support for extended query device caps Haggai Eran
[not found] ` <1418310266-9584-7-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-16 12:33 ` Yann Droneaud [this message]
[not found] ` <1418733236.2779.26.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-12-16 17:41 ` Roland Dreier
[not found] ` <CAG4TOxP9OhPigPseCzhUacHADoH2pEdj672V0SVfZuBTjKLHVg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 20:07 ` Or Gerlitz
[not found] ` <CAJ3xEMi+SCakMD=PYamYjqYWb0oCmccLzyR-4+K-fhF1bGfykQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-16 20:14 ` Yann Droneaud
2015-01-21 10:32 ` Yann Droneaud
[not found] ` <1421836353.13543.7.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-01-21 11:14 ` Haggai Eran
2014-12-17 6:54 ` Haggai Eran
[not found] ` <549128B4.5010301-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-17 14:00 ` Yann Droneaud
2014-12-17 14:12 ` Haggai Eran
[not found] ` <54918F50.7020705-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-01-21 12:50 ` Yann Droneaud
2014-12-11 15:04 ` [PATCH v3 07/17] IB/core: Add flags for on demand paging support Haggai Eran
[not found] ` <1418310266-9584-8-git-send-email-haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2014-12-16 12:02 ` Yann Droneaud
[not found] ` <1418731378.2779.6.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-12-16 12:13 ` Yann Droneaud
2014-12-11 15:04 ` [PATCH v3 08/17] IB/core: Add support for on demand paging regions Haggai Eran
2014-12-11 15:04 ` [PATCH v3 09/17] IB/core: Implement support for MMU notifiers regarding " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 10/17] net/mlx5_core: Add support for page faults events and low level handling Haggai Eran
2014-12-11 15:04 ` [PATCH v3 11/17] IB/mlx5: Implement the ODP capability query verb Haggai Eran
2014-12-11 15:04 ` [PATCH v3 12/17] IB/mlx5: Changes in memory region creation to support on-demand paging Haggai Eran
2014-12-11 15:04 ` [PATCH v3 13/17] IB/mlx5: Add mlx5_ib_update_mtt to update page tables after creation Haggai Eran
2014-12-11 15:04 ` [PATCH v3 14/17] IB/mlx5: Page faults handling infrastructure Haggai Eran
2014-12-11 15:04 ` [PATCH v3 15/17] IB/mlx5: Handle page faults Haggai Eran
2014-12-11 15:04 ` [PATCH v3 16/17] IB/mlx5: Add support for RDMA read/write responder " Haggai Eran
2014-12-11 15:04 ` [PATCH v3 17/17] IB/mlx5: Implement on demand paging by adding support for MMU notifiers Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418733236.2779.26.camel@opteya.com \
--to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
--cc=eli-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org \
--cc=eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=j.glisse-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=majd-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox