RDMA/uverbs: Don't fail in creation of multiple flows

The conversion from offsetof() calculations to sizeof() wrongly behaved for missed exact size and in scenario with more than one flow. In such scenario we got "create flow failed, flow 10: 8 bytes left from uverb cmd" error, which is wrong because the size of kern_spec is exactly 8 bytes, and we were not supposed to fail. Cc: <stable@vger.kernel.org> # 3.12 Fixes: 4fae7f17 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow") Reported-by: N Ran Rozenstein <ranro@mellanox.com> Signed-off-by: N Leon Romanovsky <leonro@mellanox.com> Signed-off-by: N Jason Gunthorpe <jgg@mellanox.com>

RDMA/uverbs: Don't fail in creation of multiple flows
The conversion from offsetof() calculations to sizeof() wrongly behaved for missed exact size and in scenario with more than one flow. In such scenario we got "create flow failed, flow 10: 8 bytes left from uverb cmd" error, which is wrong because the size of kern_spec is exactly 8 bytes, and we were not supposed to fail. Cc: <stable@vger.kernel.org> # 3.12 Fixes: 4fae7f17 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow") Reported-by: N Ran Rozenstein <ranro@mellanox.com> Signed-off-by: N Leon Romanovsky <leonro@mellanox.com> Signed-off-by: N Jason Gunthorpe <jgg@mellanox.com>
fe48aecb · Leon Romanovsky · Jason Gunthorpe · b697d7d8 · fe48aecb
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/infiniband/core/uverbs_cmd.c drivers/infiniband/core/uverbs_cmd.c +1 -1

未找到文件。
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -3586,7 +3586,7 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file,
 	kern_spec = kern_flow_attr->flow_specs;
 	ib_spec = flow_attr + 1;
 	for (i = 0; i < flow_attr->num_of_specs &&
-			cmd.flow_attr.size > sizeof(*kern_spec) &&
+			cmd.flow_attr.size >= sizeof(*kern_spec) &&
 			cmd.flow_attr.size >= kern_spec->size;
 	     i++) {
 		err = kern_spec_to_ib_spec(