From: Leon Romanovsky <leonro@mellanox.com>
Date: Wed, 21 Feb 2018 18:12:40 +0200
Subject: RDMa/uverbs: Copy ex_hdr outside of SRCU read lock
Patch-mainline: v4.17-rc1
Git-commit: e21719fbbd1786c09132e0483c72c136a61b79ed
References: bsc#1103992 FATE#326009
The SRCU read lock protects the IB device pointer
and doesn't need to be called before copying user
provided header.
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
drivers/infiniband/core/uverbs_main.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -709,8 +709,12 @@ static ssize_t ib_uverbs_write(struct fi
(command != IB_USER_VERBS_CMD_GET_CONTEXT || extended))
return -EINVAL;
- if (extended && count < (sizeof(hdr) + sizeof(ex_hdr)))
- return -EINVAL;
+ if (extended) {
+ if (count < (sizeof(hdr) + sizeof(ex_hdr)))
+ return -EINVAL;
+ if (copy_from_user(&ex_hdr, buf + sizeof(hdr), sizeof(ex_hdr)))
+ return -EFAULT;
+ }
srcu_key = srcu_read_lock(&file->device->disassociate_srcu);
ib_dev = srcu_dereference(file->device->ib_dev,
@@ -740,11 +744,6 @@ static ssize_t ib_uverbs_write(struct fi
struct ib_udata uhw;
size_t written_count = count;
- if (copy_from_user(&ex_hdr, buf + sizeof(hdr), sizeof(ex_hdr))) {
- ret = -EFAULT;
- goto out;
- }
-
count -= sizeof(hdr) + sizeof(ex_hdr);
buf += sizeof(hdr) + sizeof(ex_hdr);