From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
To: longli@microsoft.com, kotaranov@microsoft.com,
Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>,
linux-rdma@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Subject: [PATCH rdma-next v2] RDMA/mana_ib: hardening: Clamp adapter capability values from MANA_IB_GET_ADAPTER_CAP
Date: Thu, 12 Mar 2026 11:16:41 -0700 [thread overview]
Message-ID: <20260312181642.989735-1-ernis@linux.microsoft.com> (raw)
As part of MANA hardening for CVM, clamp hardware-reported adapter
capability values from the MANA_IB_GET_ADAPTER_CAP response before
they are used by the IB subsystem.
The response fields (max_qp_count, max_cq_count, max_mr_count,
max_pd_count, max_inbound_read_limit, max_outbound_read_limit,
max_qp_wr, max_send_sge_count, max_recv_sge_count) are u32 but are
assigned to signed int members in struct ib_device_attr. If hardware
returns a value exceeding INT_MAX, the implicit u32-to-int conversion
produces a negative value, which can cause incorrect behavior in the
IB core and userspace applications.
Clamp these fields to INT_MAX in mana_ib_gd_query_adapter_caps() so
all downstream consumers receive safe values.
Additionally, fix an integer overflow in mana_ib_query_device() where
max_res_rd_atom is computed as max_qp_rd_atom * max_qp. Both operands
are int and the multiplication can overflow. Widen to s64 before
multiplying and clamp the result to INT_MAX.
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
---
Changes in v2:
* Update patch title.
---
drivers/infiniband/hw/mana/main.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/drivers/infiniband/hw/mana/main.c b/drivers/infiniband/hw/mana/main.c
index 8d99cd00f002..2869660077ef 100644
--- a/drivers/infiniband/hw/mana/main.c
+++ b/drivers/infiniband/hw/mana/main.c
@@ -599,7 +599,8 @@ int mana_ib_query_device(struct ib_device *ibdev, struct ib_device_attr *props,
props->max_mr = dev->adapter_caps.max_mr_count;
props->max_pd = dev->adapter_caps.max_pd_count;
props->max_qp_rd_atom = dev->adapter_caps.max_inbound_read_limit;
- props->max_res_rd_atom = props->max_qp_rd_atom * props->max_qp;
+ props->max_res_rd_atom =
+ min_t(s64, (s64)props->max_qp_rd_atom * props->max_qp, INT_MAX);
props->max_qp_init_rd_atom = dev->adapter_caps.max_outbound_read_limit;
props->atomic_cap = IB_ATOMIC_NONE;
props->masked_atomic_cap = IB_ATOMIC_NONE;
@@ -694,20 +695,22 @@ int mana_ib_gd_query_adapter_caps(struct mana_ib_dev *dev)
caps->max_sq_id = resp.max_sq_id;
caps->max_rq_id = resp.max_rq_id;
caps->max_cq_id = resp.max_cq_id;
- caps->max_qp_count = resp.max_qp_count;
- caps->max_cq_count = resp.max_cq_count;
- caps->max_mr_count = resp.max_mr_count;
- caps->max_pd_count = resp.max_pd_count;
- caps->max_inbound_read_limit = resp.max_inbound_read_limit;
- caps->max_outbound_read_limit = resp.max_outbound_read_limit;
+ caps->max_qp_count = min_t(u32, resp.max_qp_count, INT_MAX);
+ caps->max_cq_count = min_t(u32, resp.max_cq_count, INT_MAX);
+ caps->max_mr_count = min_t(u32, resp.max_mr_count, INT_MAX);
+ caps->max_pd_count = min_t(u32, resp.max_pd_count, INT_MAX);
+ caps->max_inbound_read_limit = min_t(u32, resp.max_inbound_read_limit,
+ INT_MAX);
+ caps->max_outbound_read_limit = min_t(u32, resp.max_outbound_read_limit,
+ INT_MAX);
caps->mw_count = resp.mw_count;
caps->max_srq_count = resp.max_srq_count;
caps->max_qp_wr = min_t(u32,
resp.max_requester_sq_size / GDMA_MAX_SQE_SIZE,
resp.max_requester_rq_size / GDMA_MAX_RQE_SIZE);
caps->max_inline_data_size = resp.max_inline_data_size;
- caps->max_send_sge_count = resp.max_send_sge_count;
- caps->max_recv_sge_count = resp.max_recv_sge_count;
+ caps->max_send_sge_count = min_t(u32, resp.max_send_sge_count, INT_MAX);
+ caps->max_recv_sge_count = min_t(u32, resp.max_recv_sge_count, INT_MAX);
caps->feature_flags = resp.feature_flags;
caps->page_size_cap = PAGE_SZ_BM;
--
2.34.1
next reply other threads:[~2026-03-12 18:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 18:16 Erni Sri Satya Vennela [this message]
2026-03-12 18:43 ` [PATCH rdma-next v2] RDMA/mana_ib: hardening: Clamp adapter capability values from MANA_IB_GET_ADAPTER_CAP Long Li
2026-03-12 22:48 ` Jason Gunthorpe
2026-03-16 19:49 ` Leon Romanovsky
2026-03-16 20:50 ` [EXTERNAL] " Long Li
2026-03-17 9:44 ` Leon Romanovsky
2026-03-21 0:56 ` Long Li
2026-03-22 18:50 ` Leon Romanovsky
2026-04-10 15:43 ` Jason Gunthorpe
2026-04-10 22:29 ` Long Li
2026-04-13 13:46 ` Jason Gunthorpe
2026-04-13 18:00 ` Long Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312181642.989735-1-ernis@linux.microsoft.com \
--to=ernis@linux.microsoft.com \
--cc=jgg@ziepe.ca \
--cc=kotaranov@microsoft.com \
--cc=leon@kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=longli@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.