From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzkaller <syzkaller@googlegroups.com>,
Noa Osherovich <noaos@mellanox.com>,
Leon Romanovsky <leonro@mellanox.com>,
Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.9 18/32] RDMA/mlx5: Protect from shift operand overflow
Date: Tue, 8 May 2018 10:10:58 +0200 [thread overview]
Message-ID: <20180508074011.776302542@linuxfoundation.org> (raw)
In-Reply-To: <20180508074008.800421598@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
Ensure that user didn't supply values too large that can cause overflow.
UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
shift exponent -2147483648 is negative
CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
Trace:
dump_stack+0xde/0x164
ubsan_epilogue+0xe/0x81
set_rq_size+0x7c2/0xa90
create_qp_common+0xc18/0x43c0
mlx5_ib_create_qp+0x379/0x1ca0
create_qp.isra.5+0xc94/0x2260
ib_uverbs_create_qp+0x21b/0x2a0
ib_uverbs_write+0xc2c/0x1010
vfs_write+0x1b0/0x550
SyS_write+0xc7/0x1a0
do_syscall_64+0x1aa/0x740
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x433569
RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
Cc: <stable@vger.kernel.org> # 3.10
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx5/qp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -253,7 +253,11 @@ static int set_rq_size(struct mlx5_ib_de
} else {
if (ucmd) {
qp->rq.wqe_cnt = ucmd->rq_wqe_count;
+ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
+ return -EINVAL;
qp->rq.wqe_shift = ucmd->rq_wqe_shift;
+ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
+ return -EINVAL;
qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
qp->rq.max_post = qp->rq.wqe_cnt;
} else {
next prev parent reply other threads:[~2018-05-08 8:10 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-08 8:10 [PATCH 4.9 00/32] 4.9.99-stable review Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 01/32] perf/core: Fix the perf_cpu_time_max_percent check Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 02/32] percpu: include linux/sched.h for cond_resched() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 03/32] bpf: map_get_next_key to return first key on NULL Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 04/32] arm/arm64: KVM: Add PSCI version selection API Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 05/32] crypto: talitos - fix IPsec cipher in length Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 06/32] serial: imx: ensure UCR3 and UFCR are setup correctly Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 07/32] USB: serial: option: Add support for Quectel EP06 Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 08/32] ALSA: pcm: Check PCM state at xfern compat ioctl Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 09/32] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 10/32] ALSA: aloop: Mark paused device as inactive Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 11/32] ALSA: aloop: Add missing cable lock to ctl API callbacks Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 12/32] tracepoint: Do not warn on ENOMEM Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 13/32] Input: leds - fix out of bound access Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 14/32] Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 15/32] xfs: prevent creating negative-sized file via INSERT_RANGE Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 16/32] RDMA/cxgb4: release hw resources on device removal Greg Kroah-Hartman
2018-05-08 8:10 ` [PATCH 4.9 17/32] RDMA/ucma: Allow resolving address w/o specifying source address Greg Kroah-Hartman
2018-05-08 8:10 ` Greg Kroah-Hartman [this message]
2018-05-08 8:10 ` [PATCH 4.9 19/32] NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 20/32] IB/mlx5: Use unlimited rate when static rate is not supported Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 21/32] IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 22/32] drm/vmwgfx: Fix a buffer object leak Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 23/32] drm/bridge: vga-dac: Fix edid memory leak Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 24/32] test_firmware: fix setting old custom fw path back on exit, second try Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 25/32] USB: serial: visor: handle potential invalid device configuration Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 26/32] USB: Accept bulk endpoints with 1024-byte maxpacket Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 27/32] USB: serial: option: reimplement interface masking Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 28/32] USB: serial: option: adding support for ublox R410M Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 29/32] usb: musb: host: fix potential NULL pointer dereference Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 30/32] usb: musb: trace: fix NULL pointer dereference in musb_g_tx() Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 31/32] platform/x86: asus-wireless: Fix NULL pointer dereference Greg Kroah-Hartman
2018-05-08 8:11 ` [PATCH 4.9 32/32] s390/facilites: use stfle_fac_list array size for MAX_FACILITY_BIT Greg Kroah-Hartman
2018-05-08 14:25 ` [PATCH 4.9 00/32] 4.9.99-stable review kernelci.org bot
2018-05-08 16:21 ` Guenter Roeck
2018-05-08 18:13 ` Naresh Kamboju
2018-05-08 23:56 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180508074011.776302542@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dledford@redhat.com \
--cc=leonro@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=noaos@mellanox.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.