All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: maorg@nvidia.com
Cc: linux-rdma@vger.kernel.org
Subject: [bug report] RDMA/mlx5: Add support in MEMIC operations
Date: Tue, 4 May 2021 10:50:44 +0300	[thread overview]
Message-ID: <YJD81HgeXxGUMaik@mwanda> (raw)

Hello Maor Gottlieb,

The patch cea85fa5dbc2: "RDMA/mlx5: Add support in MEMIC operations"
from Apr 11, 2021, leads to the following static checker warning:

	drivers/infiniband/hw/mlx5/dm.c:220 mlx5_ib_handler_MLX5_IB_METHOD_DM_MAP_OP_ADDR()
	error: undefined (user controlled) shift '(((1))) << op'

drivers/infiniband/hw/mlx5/dm.c
   204  static int UVERBS_HANDLER(MLX5_IB_METHOD_DM_MAP_OP_ADDR)(
   205          struct uverbs_attr_bundle *attrs)
   206  {
   207          struct ib_uobject *uobj = uverbs_attr_get_uobject(
   208                  attrs, MLX5_IB_ATTR_DM_MAP_OP_ADDR_REQ_HANDLE);
   209          struct mlx5_ib_dev *dev = to_mdev(uobj->context->device);
   210          struct ib_dm *ibdm = uobj->object;
   211          struct mlx5_ib_dm_memic *dm = to_memic(ibdm);
   212          struct mlx5_ib_dm_op_entry *op_entry;
   213          int err;
   214          u8 op;
   215  
   216          err = uverbs_copy_from(&op, attrs, MLX5_IB_ATTR_DM_MAP_OP_ADDR_REQ_OP);
                                        ^^
op is user controlled and in the 0-255 range.

   217          if (err)
   218                  return err;
   219  
   220          if (!(MLX5_CAP_DEV_MEM(dev->mdev, memic_operations) & BIT(op)))
                                                                      ^^^^^^^
If it's more than 31 then this is undefined (shift wrapping generally).
Plus it might trigger a UBSan warning at run time.

   221                  return -EOPNOTSUPP;
   222  
   223          mutex_lock(&dm->ops_xa_lock);

regards,
dan carpenter

             reply	other threads:[~2021-05-04  7:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-04  7:50 Dan Carpenter [this message]
2021-05-04  8:25 ` [bug report] RDMA/mlx5: Add support in MEMIC operations Leon Romanovsky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YJD81HgeXxGUMaik@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-rdma@vger.kernel.org \
    --cc=maorg@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.