From: Jacob Moroni <jmoroni@google.com>
To: tatyana.e.nikolova@intel.com, jgg@ziepe.ca, leon@kernel.org
Cc: linux-rdma@vger.kernel.org, Jacob Moroni <jmoroni@google.com>
Subject: [PATCH rdma-next v2 4/5] RDMA/irdma: Use robust udata helper for QP creation
Date: Mon, 29 Jun 2026 23:25:31 +0000 [thread overview]
Message-ID: <20260629232532.2057423-5-jmoroni@google.com> (raw)
In-Reply-To: <20260629232532.2057423-1-jmoroni@google.com>
Replace the manual udata input copy and validation during
QP creation with the robust helper.
The irdma driver is backwards compatible with the legacy
i40iw userspace provider. The current create_qp ABI contains
two 8 byte fields. The legacy i40iw ABI was the same but
also contained two additional fields which were never actually
used. Furthermore, the i40iw userspace provider never explicitly
zero-initialized those extra fields, so there is a chance that
existing binaries are passing non-zero garbage values down
to the kernel.
Previously, the irdma driver only copied out the first 16
bytes and did not have any check for the rest of the buffer
being zero, so that additional garbage didn't matter.
By switching to ib_copy_validate_udata_in(), we will now be
checking to ensure that data beyond the kernel's definition
of the request is all zero.
In order to avoid breaking legacy binaries, we therefore need
to increase the request structure size to cover those garbage
fields.
- Legacy binaries will continue to pass down a 32 byte request,
with the driver copying the entire 32 bytes out but ignoring
the second 16 bytes, just as before.
- Newer binaries will pass down the normal 16 byte request. The
ib_copy_validate_udata_in() call will allow this to succeed
because we use user_compl_ctx as our minimum length (16 bytes).
- If the request is ever extended, the new fields would be
added after the "don't use" fields and would work as per
the normal uAPI mechanism.
Signed-off-by: Jacob Moroni <jmoroni@google.com>
---
drivers/infiniband/hw/irdma/verbs.c | 44 +++++++++++++++--------------
include/uapi/rdma/irdma-abi.h | 1 +
2 files changed, 24 insertions(+), 21 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index c1df9ca1b86b..30f2483bdc33 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -627,37 +627,29 @@ static void irdma_setup_virt_qp(struct irdma_device *iwdev,
/**
* irdma_setup_umode_qp - setup sq and rq size in user mode qp
- * @udata: udata
+ * @ucontext: user context
+ * @req: user request pointer
* @iwdev: iwarp device
* @iwqp: qp ptr (user or kernel)
* @info: initialize info to return
* @init_attr: Initial QP create attributes
*/
-static int irdma_setup_umode_qp(struct ib_udata *udata,
+static int irdma_setup_umode_qp(struct irdma_ucontext *ucontext,
+ struct irdma_create_qp_req *req,
struct irdma_device *iwdev,
struct irdma_qp *iwqp,
struct irdma_qp_init_info *info,
struct ib_qp_init_attr *init_attr)
{
- struct irdma_ucontext *ucontext = rdma_udata_to_drv_context(udata,
- struct irdma_ucontext, ibucontext);
struct irdma_qp_uk_init_info *ukinfo = &info->qp_uk_init_info;
- struct irdma_create_qp_req req;
unsigned long flags;
int ret;
- ret = ib_copy_from_udata(&req, udata,
- min(sizeof(req), udata->inlen));
- if (ret) {
- ibdev_dbg(&iwdev->ibdev, "VERBS: ib_copy_from_data fail\n");
- return ret;
- }
-
- iwqp->ctx_info.qp_compl_ctx = req.user_compl_ctx;
+ iwqp->ctx_info.qp_compl_ctx = req->user_compl_ctx;
iwqp->user_mode = 1;
- if (req.user_wqe_bufs) {
+ if (req->user_wqe_bufs) {
spin_lock_irqsave(&ucontext->qp_reg_mem_list_lock, flags);
- iwqp->iwpbl = irdma_get_pbl((unsigned long)req.user_wqe_bufs,
+ iwqp->iwpbl = irdma_get_pbl((unsigned long)req->user_wqe_bufs,
&ucontext->qp_reg_mem_list);
spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
@@ -970,7 +962,6 @@ static int irdma_create_qp(struct ib_qp *ibqp,
struct ib_qp_init_attr *init_attr,
struct ib_udata *udata)
{
-#define IRDMA_CREATE_QP_MIN_REQ_LEN offsetofend(struct irdma_create_qp_req, user_compl_ctx)
#define IRDMA_CREATE_QP_MIN_RESP_LEN offsetofend(struct irdma_create_qp_resp, rsvd)
struct ib_pd *ibpd = ibqp->pd;
struct irdma_pd *iwpd = to_iwpd(ibpd);
@@ -985,6 +976,7 @@ static int irdma_create_qp(struct ib_qp *ibqp,
struct irdma_uk_attrs *uk_attrs = &dev->hw_attrs.uk_attrs;
struct irdma_qp_init_info init_info = {};
struct irdma_qp_host_ctx_info *ctx_info;
+ struct irdma_create_qp_req ureq = {};
struct irdma_srq *iwsrq;
bool srq_valid = false;
u32 srq_id = 0;
@@ -1002,9 +994,14 @@ static int irdma_create_qp(struct ib_qp *ibqp,
if (err_code)
return err_code;
- if (udata && (udata->inlen < IRDMA_CREATE_QP_MIN_REQ_LEN ||
- udata->outlen < IRDMA_CREATE_QP_MIN_RESP_LEN))
- return -EINVAL;
+ if (udata) {
+ if (udata->outlen < IRDMA_CREATE_QP_MIN_RESP_LEN)
+ return -EINVAL;
+
+ err_code = ib_copy_validate_udata_in(udata, ureq, user_compl_ctx);
+ if (err_code)
+ return err_code;
+ }
init_info.vsi = &iwdev->vsi;
init_info.qp_uk_init_info.uk_attrs = uk_attrs;
@@ -1063,9 +1060,14 @@ static int irdma_create_qp(struct ib_qp *ibqp,
init_waitqueue_head(&iwqp->mod_qp_waitq);
if (udata) {
+ struct irdma_ucontext *ucontext =
+ rdma_udata_to_drv_context(udata,
+ struct irdma_ucontext,
+ ibucontext);
+
init_info.qp_uk_init_info.abi_ver = iwpd->sc_pd.abi_ver;
- err_code = irdma_setup_umode_qp(udata, iwdev, iwqp, &init_info,
- init_attr);
+ err_code = irdma_setup_umode_qp(ucontext, &ureq, iwdev, iwqp,
+ &init_info, init_attr);
} else {
INIT_DELAYED_WORK(&iwqp->dwork_flush, irdma_flush_worker);
init_info.qp_uk_init_info.abi_ver = IRDMA_ABI_VER;
diff --git a/include/uapi/rdma/irdma-abi.h b/include/uapi/rdma/irdma-abi.h
index 36f20802bcc8..38155affc8b4 100644
--- a/include/uapi/rdma/irdma-abi.h
+++ b/include/uapi/rdma/irdma-abi.h
@@ -88,6 +88,7 @@ struct irdma_create_srq_resp {
struct irdma_create_qp_req {
__aligned_u64 user_wqe_bufs;
__aligned_u64 user_compl_ctx;
+ __aligned_u64 legacy_dontuse[2];
};
struct irdma_mem_reg_req {
--
2.55.0.rc0.799.gd6f94ed593-goog
next prev parent reply other threads:[~2026-06-29 23:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 23:25 [PATCH rdma-next v2 0/5] RDMA/irdma: Adopt robust udata Jacob Moroni
2026-06-29 23:25 ` [PATCH rdma-next v2 1/5] RDMA/irdma: Enforce empty udata input for no-input ops Jacob Moroni
2026-06-29 23:25 ` [PATCH rdma-next v2 2/5] RDMA/irdma: Use robust udata input copy helpers Jacob Moroni
2026-06-29 23:25 ` [PATCH rdma-next v2 3/5] RDMA/irdma: Use ib_respond_empty_udata where applicable Jacob Moroni
2026-06-29 23:25 ` Jacob Moroni [this message]
2026-06-29 23:25 ` [PATCH rdma-next v2 5/5] RDMA/irdma: Enable uverbs_robust_udata compliance flag Jacob Moroni
2026-06-30 17:23 ` [PATCH rdma-next v2 0/5] RDMA/irdma: Adopt robust udata Jacob Moroni
2026-06-30 19:18 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629232532.2057423-5-jmoroni@google.com \
--to=jmoroni@google.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=tatyana.e.nikolova@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox