From: Jason Gunthorpe <jgg@ziepe.ca>
To: Leon Romanovsky <leon@kernel.org>
Cc: Doug Ledford <dledford@redhat.com>,
RDMA mailing list <linux-rdma@vger.kernel.org>,
Hadar Hen Zion <hadarh@mellanox.com>,
Matan Barak <matanb@mellanox.com>,
Michael J Ruhl <michael.j.ruhl@intel.com>,
Noa Osherovich <noaos@mellanox.com>,
Raed Salem <raeds@mellanox.com>,
Yishai Hadas <yishaih@mellanox.com>,
Saeed Mahameed <saeedm@mellanox.com>,
linux-netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH rdma-next 09/12] RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq
Date: Mon, 25 Jun 2018 08:58:15 -0600 [thread overview]
Message-ID: <20180625145815.GA5381@ziepe.ca> (raw)
In-Reply-To: <20180625081041.GI17747@mtr-leonro.mtl.com>
On Mon, Jun 25, 2018 at 11:10:41AM +0300, Leon Romanovsky wrote:
> On Sun, Jun 24, 2018 at 01:56:24PM -0600, Jason Gunthorpe wrote:
> > On Sun, Jun 24, 2018 at 11:23:50AM +0300, Leon Romanovsky wrote:
> > > From: Leon Romanovsky <leonro@mellanox.com>
> > >
> > > [ 61.182439] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:5366:34
> > > [ 61.183673] shift exponent 4294967288 is too large for 32-bit type 'unsigned int'
> > > [ 61.185530] CPU: 0 PID: 639 Comm: qp Not tainted 4.18.0-rc1-00037-g4aa1d69a9c60-dirty #96
> > > [ 61.186981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
> > > [ 61.188315] Call Trace:
> > > [ 61.188661] dump_stack+0xc7/0x13b
> > > [ 61.190427] ubsan_epilogue+0x9/0x49
> > > [ 61.190899] __ubsan_handle_shift_out_of_bounds+0x1ea/0x22f
> > > [ 61.197040] mlx5_ib_create_wq+0x1c99/0x1d50
> > > [ 61.206632] ib_uverbs_ex_create_wq+0x499/0x820
> > > [ 61.213892] ib_uverbs_write+0x77e/0xae0
> > > [ 61.248018] vfs_write+0x121/0x3b0
> > > [ 61.249831] ksys_write+0xa1/0x120
> > > [ 61.254024] do_syscall_64+0x7c/0x2a0
> > > [ 61.256178] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > [ 61.259211] RIP: 0033:0x7f54bab70e99
> > > [ 61.262125] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89
> > > [ 61.268678] RSP: 002b:00007ffe1541c318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> > > [ 61.271076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f54bab70e99
> > > [ 61.273795] RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003
> > > [ 61.276982] RBP: 00007ffe1541c330 R08: 00000000200078e0 R09: 0000000000000002
> > > [ 61.280035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004005c0
> > > [ 61.283279] R13: 00007ffe1541c420 R14: 0000000000000000 R15: 0000000000000000
> > >
> > > Cc: <stable@vger.kernel.org> # 4.7
> > > Fixes: 79b20a6c3014 ("IB/mlx5: Add receive Work Queue verbs")
> > > Cc: syzkaller <syzkaller@googlegroups.com>
> > > Reported-by: Noa Osherovich <noaos@mellanox.com>
> > > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > > drivers/infiniband/hw/mlx5/qp.c | 6 +++++-
> > > 1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
> > > index 6034a670859f..8e40263fd40e 100644
> > > +++ b/drivers/infiniband/hw/mlx5/qp.c
> > > @@ -5377,7 +5377,11 @@ static int set_user_rq_size(struct mlx5_ib_dev *dev,
> > >
> > > rwq->wqe_count = ucmd->rq_wqe_count;
> > > rwq->wqe_shift = ucmd->rq_wqe_shift;
> > > - rwq->buf_size = (rwq->wqe_count << rwq->wqe_shift);
> > > + rwq->buf_size =
> > > + shift_overflow((size_t)rwq->wqe_count, (size_t)rwq->wqe_shift);
> >
> > The casts are redundant, the function argument is already size_t so
> > implicit promotion is guaranteed.
>
> rwq->wqe_count and rwq->wqe_shift are declared as u32 and not as size_t.
>
> https://elixir.bootlin.com/linux/latest/source/drivers/infiniband/hw/mlx5/mlx5_ib.h#L296
It doesn't matter, passing them to a function accepting size_t does
implicit promotion, the same as the explicit cast.
Jason
next prev parent reply other threads:[~2018-06-25 14:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-24 8:23 [PATCH rdma-next 00/12] RDMA fixes 2018-06-24 Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 01/12] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Leon Romanovsky
2018-06-25 21:14 ` Jason Gunthorpe
2018-06-24 8:23 ` [PATCH rdma-next 02/12] RDMA/uverbs: Check existence of create_flow callback Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 03/12] RDMA/verbs: Drop kernel variant of create_flow Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 04/12] RDMA/verbs: Drop kernel variant of destroy_flow Leon Romanovsky
2018-06-24 8:23 ` [PATCH mlx5-next 05/12] net/mlx5: Rate limit errors in command interface Leon Romanovsky
2018-06-27 5:48 ` Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 06/12] RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR Leon Romanovsky
2018-06-24 19:57 ` Jason Gunthorpe
2018-06-25 8:08 ` Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 07/12] RDMA/umem: Don't check for negative return value of dma_map_sg_attrs() Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 08/12] overflow.h: Add arithmetic shift helper Leon Romanovsky
[not found] ` <CAKwiHFhgsyWYD+q+JFb2HJEphnjiiOp=o4Airv3MW031q2jx8w@mail.gmail.com>
2018-06-25 17:11 ` Jason Gunthorpe
2018-06-26 4:16 ` Leon Romanovsky
[not found] ` <CAKwiHFiRYbyiJqDYCgKXKZYRr0KjCt8q9AwKwfqoCA1sT2KFyQ@mail.gmail.com>
2018-06-26 11:37 ` Leon Romanovsky
2018-06-26 17:54 ` Jason Gunthorpe
[not found] ` <CAKwiHFgchr+6HYOZ4e4e1vzL9cFabe6eonNNM8NTWZypazcuKA@mail.gmail.com>
2018-06-27 17:39 ` Leon Romanovsky
2018-06-27 18:10 ` Jason Gunthorpe
2018-06-27 18:22 ` Leon Romanovsky
2018-06-27 21:35 ` Rasmus Villemoes
2018-06-27 18:44 ` Kees Cook
2018-08-01 9:36 ` Peter Zijlstra
2018-08-01 16:14 ` Jason Gunthorpe
2018-06-26 4:24 ` Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 09/12] RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq Leon Romanovsky
2018-06-24 19:56 ` Jason Gunthorpe
2018-06-25 8:10 ` Leon Romanovsky
2018-06-25 14:58 ` Jason Gunthorpe [this message]
2018-06-24 8:23 ` [PATCH rdma-next 10/12] RDMA/mlx5: Reuse existed shift_overlow helper Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 11/12] RDMA/uverbs: Remove redundant check Leon Romanovsky
2018-06-24 8:23 ` [PATCH rdma-next 12/12] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow Leon Romanovsky
2018-06-25 21:34 ` [PATCH rdma-next 00/12] RDMA fixes 2018-06-24 Jason Gunthorpe
2018-06-26 4:21 ` Leon Romanovsky
2018-06-26 20:39 ` Jason Gunthorpe
2018-06-27 5:47 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180625145815.GA5381@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=dledford@redhat.com \
--cc=hadarh@mellanox.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=matanb@mellanox.com \
--cc=michael.j.ruhl@intel.com \
--cc=netdev@vger.kernel.org \
--cc=noaos@mellanox.com \
--cc=raeds@mellanox.com \
--cc=saeedm@mellanox.com \
--cc=yishaih@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.