diff options
author | Haggai Abramovsky <hagaya@mellanox.com> | 2016-01-14 18:12:56 +0100 |
---|---|---|
committer | Doug Ledford <dledford@redhat.com> | 2016-01-21 18:01:08 +0100 |
commit | dfbee8598d24668b882bcc97d28d5108441cc88a (patch) | |
tree | fa0658b0b454eb0d4d6b1999ec60a3c27a439ca8 /drivers/infiniband | |
parent | IB/sa: Fix netlink local service GFP crash (diff) | |
download | linux-dfbee8598d24668b882bcc97d28d5108441cc88a.tar.xz linux-dfbee8598d24668b882bcc97d28d5108441cc88a.zip |
IB/mlx5: Fix data validation in mlx5_ib_alloc_ucontext
The wrong buffer size was passed to ib_is_udata_cleared.
Signed-off-by: Haggai Abramovsky <hagaya@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r-- | drivers/infiniband/hw/mlx5/main.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index f509dcb85665..f82336699c3e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -845,6 +845,9 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, if (!dev->ib_active) return ERR_PTR(-EAGAIN); + if (udata->inlen < sizeof(struct ib_uverbs_cmd_hdr)) + return ERR_PTR(-EINVAL); + reqlen = udata->inlen - sizeof(struct ib_uverbs_cmd_hdr); if (reqlen == sizeof(struct mlx5_ib_alloc_ucontext_req)) ver = 0; @@ -871,7 +874,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, if (reqlen > sizeof(req) && !ib_is_udata_cleared(udata, sizeof(req), - udata->inlen - sizeof(req))) + reqlen - sizeof(req))) return ERR_PTR(-EOPNOTSUPP); req.total_num_uuars = ALIGN(req.total_num_uuars, |