diff options
author | Leon Romanovsky <leonro@mellanox.com> | 2018-07-01 14:31:54 +0200 |
---|---|---|
committer | Jason Gunthorpe <jgg@mellanox.com> | 2018-07-03 22:08:00 +0200 |
commit | fe48aecb4df837540f13b5216f27ddb306aaf4b9 (patch) | |
tree | fcc1c2912adf760e31e38e60f024fc4be97035db /drivers | |
parent | IB/hfi1: Fix incorrect mixing of ERR_PTR and NULL return values (diff) | |
download | linux-fe48aecb4df837540f13b5216f27ddb306aaf4b9.tar.xz linux-fe48aecb4df837540f13b5216f27ddb306aaf4b9.zip |
RDMA/uverbs: Don't fail in creation of multiple flows
The conversion from offsetof() calculations to sizeof()
wrongly behaved for missed exact size and in scenario with
more than one flow.
In such scenario we got "create flow failed, flow 10: 8 bytes
left from uverb cmd" error, which is wrong because the size of
kern_spec is exactly 8 bytes, and we were not supposed to fail.
Cc: <stable@vger.kernel.org> # 3.12
Fixes: 4fae7f170416 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow")
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/infiniband/core/uverbs_cmd.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 87ffeebc0b28..cc06e8404e9b 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3586,7 +3586,7 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, kern_spec = kern_flow_attr->flow_specs; ib_spec = flow_attr + 1; for (i = 0; i < flow_attr->num_of_specs && - cmd.flow_attr.size > sizeof(*kern_spec) && + cmd.flow_attr.size >= sizeof(*kern_spec) && cmd.flow_attr.size >= kern_spec->size; i++) { err = kern_spec_to_ib_spec( |