From 84eacd11881cf9fb2f3722f8b4ce03ec1ab5a636 Mon Sep 17 00:00:00 2001
From: wangsirong <wangsirong@huawei.com>
Date: Thu, 16 May 2019 16:57:27 +0800
Subject: [PATCH] RDMA/hns: Add a comparision of udata and resp data

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

If length of udata is less than resp data, it should use the minimum value

Feature or Bugfix:Bugfix

Signed-off-by: wangsirong <wangsirong@huawei.com>
Reviewed-by: liyangyang20 <liyangyang20@huawei.com>
Reviewed-by: hdd.huang <hdd.huang@huawei.com>
Reviewed-by: wangxi <wangxi11@huawei.com>
Reviewed-by: liuyixian <liuyixian@huawei.com>
Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/infiniband/hw/hns/hns_roce_cq.c   | 2 +-
 drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
 drivers/infiniband/hw/hns/hns_roce_qp.c   | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c
index 5017b63ed5e9..332b79e98be7 100644
--- a/drivers/infiniband/hw/hns/hns_roce_cq.c
+++ b/drivers/infiniband/hw/hns/hns_roce_cq.c
@@ -505,7 +505,7 @@ struct ib_cq *hns_roce_ib_create_cq(struct ib_device *ib_dev,
 
 	if (context) {
 		resp.cqn = hr_cq->cqn;
-		ret = ib_copy_to_udata(udata, &resp, sizeof(resp));
+		ret = ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp)));
 		if (ret)
 			goto err_cqc;
 	}
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index 8e76b2424d1e..7308c950ebf0 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -556,7 +556,7 @@ static struct ib_ucontext *hns_roce_alloc_ucontext(struct ib_device *ib_dev,
 		mutex_init(&context->page_mutex);
 	}
 
-	ret = ib_copy_to_udata(udata, &resp, sizeof(resp));
+	ret = ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp)));
 	if (ret)
 		goto error_fail_copy_to_udata;
 
diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
index e44b3d6c9f72..938deef252dd 100644
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -988,8 +988,8 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev,
 	else
 		hr_qp->doorbell_qpn = (u32)(hr_qp->qpn);
 
-	if (ib_pd->uobject && (udata->outlen >= sizeof(resp))) {
-		ret = ib_copy_to_udata(udata, &resp, sizeof(resp));
+	if (ib_pd->uobject) {
+		ret = ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp)));
 		if (ret)
 			goto err_qp;
 	}
-- 
GitLab