[PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps()

[PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps()

[Jason Gunthorpe]

Sashiko pointed out it is not safe to rely only on the devt because
char/block alias so if the user finds a block device with the same dev_t
it can masquerade as a ucap cdev fd.

Test the f_ops to only accept authentic cdevs.

Cc: stable@vger.kernel.org
Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/infiniband/core/ucaps.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/core/ucaps.c b/drivers/infiniband/core/ucaps.c
index c5721d3b0d33c0..03c78ade028963 100644
--- a/drivers/infiniband/core/ucaps.c
+++ b/drivers/infiniband/core/ucaps.c
@@ -77,14 +77,12 @@ static int get_ucap_from_devt(dev_t devt, u64 *idx_mask)
 
 static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev)
 {
-	struct file *file;
+	CLASS(fd, f)(fd);
 
-	file = fget(fd);
-	if (!file)
+	if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops)
 		return -EBADF;
 
-	*ret_dev = file_inode(file)->i_rdev;
-	fput(file);
+	*ret_dev = file_inode(fd_file(f))->i_rdev;
 	return 0;
 }
 

base-commit: 9733e9f580fdda2e8c1cd349caddd93f026ab6f5
-- 
2.43.0

Re: [PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps()

[Jason Gunthorpe]

On Tue, May 26, 2026 at 12:40:25PM -0300, Jason Gunthorpe wrote:
> Sashiko pointed out it is not safe to rely only on the devt because
> char/block alias so if the user finds a block device with the same dev_t
> it can masquerade as a ucap cdev fd.
> 
> Test the f_ops to only accept authentic cdevs.
> 
> Cc: stable@vger.kernel.org
> Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>  drivers/infiniband/core/ucaps.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)

Applied to for-rc

Jason