[PATCH rc] RDMA/core: Validate the passed in fops for ib_get

Linux RDMA and InfiniBand development
 help / color / mirror / Atom feed

* [PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps()
@ 2026-05-26 15:40 Jason Gunthorpe
  2026-06-02 13:04 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Jason Gunthorpe @ 2026-05-26 15:40 UTC (permalink / raw)
  To: linux-rdma
  Cc: Chiara Meiohas, Leon Romanovsky, patches, stable, Zhu Yanjun,
	Yishai Hadas

Sashiko pointed out it is not safe to rely only on the devt because
char/block alias so if the user finds a block device with the same dev_t
it can masquerade as a ucap cdev fd.

Test the f_ops to only accept authentic cdevs.

Cc: stable@vger.kernel.org
Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/infiniband/core/ucaps.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/core/ucaps.c b/drivers/infiniband/core/ucaps.c
index c5721d3b0d33c0..03c78ade028963 100644
--- a/drivers/infiniband/core/ucaps.c
+++ b/drivers/infiniband/core/ucaps.c
@@ -77,14 +77,12 @@ static int get_ucap_from_devt(dev_t devt, u64 *idx_mask)
 
 static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev)
 {
-	struct file *file;
+	CLASS(fd, f)(fd);
 
-	file = fget(fd);
-	if (!file)
+	if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops)
 		return -EBADF;
 
-	*ret_dev = file_inode(file)->i_rdev;
-	fput(file);
+	*ret_dev = file_inode(fd_file(f))->i_rdev;
 	return 0;
 }
 

base-commit: 9733e9f580fdda2e8c1cd349caddd93f026ab6f5
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps()
  2026-05-26 15:40 [PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps() Jason Gunthorpe
@ 2026-06-02 13:04 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2026-06-02 13:04 UTC (permalink / raw)
  To: linux-rdma
  Cc: Chiara Meiohas, Leon Romanovsky, patches, stable, Zhu Yanjun,
	Yishai Hadas

On Tue, May 26, 2026 at 12:40:25PM -0300, Jason Gunthorpe wrote:
> Sashiko pointed out it is not safe to rely only on the devt because
> char/block alias so if the user finds a block device with the same dev_t
> it can masquerade as a ucap cdev fd.
> 
> Test the f_ops to only accept authentic cdevs.
> 
> Cc: stable@vger.kernel.org
> Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>  drivers/infiniband/core/ucaps.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)

Applied to for-rc

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-02 13:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 15:40 [PATCH rc] RDMA/core: Validate the passed in fops for ib_get_ucaps() Jason Gunthorpe
2026-06-02 13:04 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox