From: Jason Gunthorpe <jgg@mellanox.com>
Date: Mon, 25 Jun 2018 16:03:41 -0600
Subject: IB/core: Check for rdma_protocol_ib only after validating port_num
Patch-mainline: v4.19-rc1
Git-commit: 7a5c938b9ed0985ea09b821b4b7f12b5e3d88d5d
References: bsc#1103992 FATE#326009

port_num is untrusted data from the user, so it should be checked after
calling fill_sgid_attr, which validates it.

Fixes: 8d9ec9addd6c ("IB/core: Add a sgid_attr pointer to struct rdma_ah_attr")
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 drivers/infiniband/core/verbs.c |   19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1581,14 +1581,6 @@ static int _ib_modify_qp(struct ib_qp *q
 	const struct ib_gid_attr *old_sgid_attr_alt_av;
 	int ret;
 
-	/*
-	 * Today the core code can only handle alternate paths and APM for IB
-	 * ban them in roce mode.
-	 */
-	if (attr_mask & IB_QP_ALT_PATH &&
-	    !rdma_protocol_ib(qp->device, attr->alt_ah_attr.port_num))
-		return -EINVAL;
-
 	if (attr_mask & IB_QP_AV) {
 		ret = rdma_fill_sgid_attr(qp->device, &attr->ah_attr,
 					  &old_sgid_attr_av);
@@ -1607,6 +1599,17 @@ static int _ib_modify_qp(struct ib_qp *q
 					  &old_sgid_attr_alt_av);
 		if (ret)
 			goto out_av;
+
+		/*
+		 * Today the core code can only handle alternate paths and APM
+		 * for IB. Ban them in roce mode.
+		 */
+		if (!(rdma_protocol_ib(qp->device,
+				       attr->alt_ah_attr.port_num) &&
+		      rdma_protocol_ib(qp->device, port))) {
+			ret = EINVAL;
+			goto out;
+		}
 	}
 
 	/*