IB/mlx5: Fix kernel to user leak prevention logic
authorEli Cohen <eli@mellanox.com>
Tue, 3 Jan 2017 21:55:19 +0000 (23:55 +0200)
committerLeon Romanovsky <leon@kernel.org>
Sun, 8 Jan 2017 09:21:26 +0000 (11:21 +0200)
The logic was broken as it failed to update the response length for
architectures with PAGE_SIZE larger than 4kB. As a result further
extension of the ucontext response struct would fail.

Fixes: d69e3bcf7976 ('IB/mlx5: Mmap the HCA's core clock register to user-space')
Signed-off-by: Eli Cohen <eli@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
drivers/infiniband/hw/mlx5/main.c

index 86c61e73780e6f2bd55faef074af241dd58c346e..852b5b7b4897c3374876b4c73a8097d173dacf3c 100644 (file)
@@ -1148,13 +1148,13 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
         * pretend we don't support reading the HCA's core clock. This is also
         * forced by mmap function.
         */
-       if (PAGE_SIZE <= 4096 &&
-           field_avail(typeof(resp), hca_core_clock_offset, udata->outlen)) {
-               resp.comp_mask |=
-                       MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_CORE_CLOCK_OFFSET;
-               resp.hca_core_clock_offset =
-                       offsetof(struct mlx5_init_seg, internal_timer_h) %
-                       PAGE_SIZE;
+       if (field_avail(typeof(resp), hca_core_clock_offset, udata->outlen)) {
+               if (PAGE_SIZE <= 4096) {
+                       resp.comp_mask |=
+                               MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_CORE_CLOCK_OFFSET;
+                       resp.hca_core_clock_offset =
+                               offsetof(struct mlx5_init_seg, internal_timer_h) % PAGE_SIZE;
+               }
                resp.response_length += sizeof(resp.hca_core_clock_offset) +
                                        sizeof(resp.reserved2);
        }