From: Jacob Moroni <jmoroni@google.com>
To: tatyana.e.nikolova@intel.com, jgg@ziepe.ca, leon@kernel.org
Cc: linux-rdma@vger.kernel.org, Jacob Moroni <jmoroni@google.com>
Subject: [PATCH rdma-next 1/5] RDMA/irdma: Enforce empty udata input for no-input ops
Date: Sat, 27 Jun 2026 02:56:38 +0000 [thread overview]
Message-ID: <20260627025642.4064973-2-jmoroni@google.com> (raw)
In-Reply-To: <20260627025642.4064973-1-jmoroni@google.com>
Validate that the udata input buffer is empty for operations
that do not expect input data from userspace.
The irdma rdma-core provider as well as the legacy i40iw
provider were both checked to ensure they never passed any
udata to these ops.
Signed-off-by: Jacob Moroni <jmoroni@google.com>
---
drivers/infiniband/hw/irdma/verbs.c | 48 +++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index b79f5afe68e5..e1c894fba2af 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -410,6 +410,10 @@ static int irdma_alloc_pd(struct ib_pd *pd, struct ib_udata *udata)
if (udata && udata->outlen < IRDMA_ALLOC_PD_MIN_RESP_LEN)
return -EINVAL;
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
+
err = irdma_alloc_rsrc(rf, rf->allocated_pds, rf->max_pd, &pd_id,
&rf->next_pd);
if (err)
@@ -445,6 +449,11 @@ static int irdma_dealloc_pd(struct ib_pd *ibpd, struct ib_udata *udata)
{
struct irdma_pd *iwpd = to_iwpd(ibpd);
struct irdma_device *iwdev = to_iwdev(ibpd->device);
+ int err;
+
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
irdma_free_rsrc(iwdev->rf, iwdev->rf->allocated_pds, iwpd->sc_pd.pd_id);
@@ -542,6 +551,11 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
{
struct irdma_qp *iwqp = to_iwqp(ibqp);
struct irdma_device *iwdev = iwqp->iwdev;
+ int err;
+
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
iwqp->sc_qp.qp_uk.destroy_pending = true;
@@ -1959,6 +1973,11 @@ static int irdma_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata)
struct irdma_device *iwdev = to_iwdev(ibsrq->device);
struct irdma_srq *iwsrq = to_iwsrq(ibsrq);
struct irdma_sc_srq *srq = &iwsrq->sc_srq;
+ int err;
+
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
irdma_srq_wq_destroy(iwdev->rf, srq);
irdma_srq_free_rsrc(iwdev->rf, iwsrq);
@@ -1979,6 +1998,11 @@ static int irdma_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata)
struct irdma_sc_ceq *ceq = dev->ceq[cq->ceq_id];
struct irdma_ceq *iwceq = container_of(ceq, struct irdma_ceq, sc_ceq);
unsigned long flags;
+ int err;
+
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
spin_lock_irqsave(&iwcq->lock, flags);
if (!list_empty(&iwcq->cmpl_generated))
@@ -2195,6 +2219,10 @@ static int irdma_modify_srq(struct ib_srq *ibsrq, struct ib_srq_attr *attr,
struct cqp_cmds_info *cqp_info;
int status;
+ status = ib_is_udata_in_empty(udata);
+ if (status)
+ return status;
+
if (attr_mask & IB_SRQ_MAX_WR)
return -EINVAL;
@@ -3035,6 +3063,10 @@ static int irdma_alloc_mw(struct ib_mw *ibmw, struct ib_udata *udata)
int err_code;
u32 stag;
+ err_code = ib_is_udata_in_empty(udata);
+ if (err_code)
+ return err_code;
+
stag = irdma_create_stag(iwdev);
if (!stag)
return -ENOMEM;
@@ -3785,6 +3817,10 @@ static struct ib_mr *irdma_rereg_user_mr(struct ib_mr *ib_mr, int flags,
struct ib_umem_dmabuf *umem_dmabuf;
int ret;
+ ret = ib_is_udata_in_empty(udata);
+ if (ret)
+ return ERR_PTR(ret);
+
if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size)
return ERR_PTR(-EINVAL);
@@ -3973,6 +4009,10 @@ static int irdma_dereg_mr(struct ib_mr *ib_mr, struct ib_udata *udata)
bool dmabuf_revocable = iwmr->region && iwmr->region->is_dmabuf;
int ret;
+ ret = ib_is_udata_in_empty(udata);
+ if (ret)
+ return ret;
+
if (iwmr->type != IRDMA_MEMREG_TYPE_MEM) {
if (iwmr->region) {
struct irdma_ucontext *ucontext;
@@ -5292,6 +5332,10 @@ static int irdma_create_user_ah(struct ib_ah *ibah,
if (udata->outlen < IRDMA_CREATE_AH_MIN_RESP_LEN)
return -EINVAL;
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
+
err = irdma_setup_ah(ibah, attr);
if (err)
return err;
@@ -5340,6 +5384,10 @@ static int irdma_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *attr,
struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
int err;
+ err = ib_is_udata_in_empty(udata);
+ if (err)
+ return err;
+
err = irdma_setup_ah(ibah, attr);
if (err)
return err;
--
2.55.0.rc0.799.gd6f94ed593-goog
next prev parent reply other threads:[~2026-06-27 2:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-27 2:56 [PATCH rdma-next 0/5] RDMA/irdma: Adopt robust udata Jacob Moroni
2026-06-27 2:56 ` Jacob Moroni [this message]
2026-06-27 2:56 ` [PATCH rdma-next 2/5] RDMA/irdma: Use robust udata input copy helpers Jacob Moroni
2026-06-27 2:56 ` [PATCH rdma-next 3/5] RDMA/irdma: Use ib_respond_empty_udata where applicable Jacob Moroni
2026-06-27 2:56 ` [PATCH rdma-next 4/5] RDMA/irdma: Use robust udata helper for QP creation Jacob Moroni
2026-06-27 2:56 ` [PATCH rdma-next 5/5] RDMA/irdma: Enable uverbs_robust_udata compliance flag Jacob Moroni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627025642.4064973-2-jmoroni@google.com \
--to=jmoroni@google.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=tatyana.e.nikolova@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox