Re: [PATCH] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

[Leon Romanovsky <leon@kernel.org>]

On Tue, May 07, 2024 at 12:39:28PM +0200, Michal Schmidt wrote:
> Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
> with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
> In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
> roundup_pow_of_two is documented as undefined for 0.
> 
> Fix it in the one caller that had this combination.
> 
> The undefined behavior was detected by UBSAN:
>   UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
>   shift exponent 64 is too large for 64-bit type 'long unsigned int'
>   CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
>   Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x5d/0x80
>    ubsan_epilogue+0x5/0x30
>    __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
>    __roundup_pow_of_two+0x25/0x35 [bnxt_re]
>    bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
>    bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
>    bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? __kmalloc+0x1b6/0x4f0
>    ? create_qp.part.0+0x128/0x1c0 [ib_core]
>    ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
>    create_qp.part.0+0x128/0x1c0 [ib_core]
>    ib_create_qp_kernel+0x50/0xd0 [ib_core]
>    create_mad_qp+0x8e/0xe0 [ib_core]
>    ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
>    ib_mad_init_device+0x2be/0x680 [ib_core]
>    add_client_context+0x10d/0x1a0 [ib_core]
>    enable_device_and_get+0xe0/0x1d0 [ib_core]
>    ib_register_device+0x53c/0x630 [ib_core]
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
>    ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
>    auxiliary_bus_probe+0x49/0x80
>    ? driver_sysfs_add+0x57/0xc0
>    really_probe+0xde/0x340
>    ? pm_runtime_barrier+0x54/0x90
>    ? __pfx___driver_attach+0x10/0x10
>    __driver_probe_device+0x78/0x110
>    driver_probe_device+0x1f/0xa0
>    __driver_attach+0xba/0x1c0
>    bus_for_each_dev+0x8f/0xe0
>    bus_add_driver+0x146/0x220
>    driver_register+0x72/0xd0
>    __auxiliary_driver_register+0x6e/0xd0
>    ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
>    bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
>    ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
>    do_one_initcall+0x5b/0x310
>    do_init_module+0x90/0x250
>    init_module_from_file+0x86/0xc0
>    idempotent_init_module+0x121/0x2b0
>    __x64_sys_finit_module+0x5e/0xb0
>    do_syscall_64+0x82/0x160
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? syscall_exit_to_user_mode_prepare+0x149/0x170
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? syscall_exit_to_user_mode+0x75/0x230
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? do_syscall_64+0x8e/0x160
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? __count_memcg_events+0x69/0x100
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? count_memcg_events.constprop.0+0x1a/0x30
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? handle_mm_fault+0x1f0/0x300
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? do_user_addr_fault+0x34e/0x640
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    ? srso_alias_return_thunk+0x5/0xfbef5
>    entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   RIP: 0033:0x7f4e5132821d
>   Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
>   RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>   RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
>   RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
>   RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
>   R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
>   R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
>    </TASK>
>   ---[ end trace ]---
> 
> Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
> Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
> ---
>  drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
> index 439d0c7c5d0c..04258676d072 100644
> --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
> +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
> @@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
>  	hwq_attr.stride = sizeof(struct sq_sge);
>  	hwq_attr.depth = bnxt_qplib_get_depth(sq);
>  	hwq_attr.aux_stride = psn_sz;
> -	hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
> +	hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
> +				    : 0;

Looks correct to me. Let's wait for Selvin to ack/nack it.

Thanks

>  	/* Update msn tbl size */
>  	if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) {
>  		hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode));
> -- 
> 2.44.0
>