From: Leon Romanovsky <leon@kernel.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: maorg@nvidia.com, linux-rdma@vger.kernel.org
Subject: Re: [bug report] RDMA/mlx5: Add support in MEMIC operations
Date: Tue, 4 May 2021 11:25:50 +0300 [thread overview]
Message-ID: <YJEFDmeCW3IjTdWc@unreal> (raw)
In-Reply-To: <YJD81HgeXxGUMaik@mwanda>
On Tue, May 04, 2021 at 10:50:44AM +0300, Dan Carpenter wrote:
> Hello Maor Gottlieb,
>
> The patch cea85fa5dbc2: "RDMA/mlx5: Add support in MEMIC operations"
> from Apr 11, 2021, leads to the following static checker warning:
>
> drivers/infiniband/hw/mlx5/dm.c:220 mlx5_ib_handler_MLX5_IB_METHOD_DM_MAP_OP_ADDR()
> error: undefined (user controlled) shift '(((1))) << op'
>
> drivers/infiniband/hw/mlx5/dm.c
> 204 static int UVERBS_HANDLER(MLX5_IB_METHOD_DM_MAP_OP_ADDR)(
> 205 struct uverbs_attr_bundle *attrs)
> 206 {
> 207 struct ib_uobject *uobj = uverbs_attr_get_uobject(
> 208 attrs, MLX5_IB_ATTR_DM_MAP_OP_ADDR_REQ_HANDLE);
> 209 struct mlx5_ib_dev *dev = to_mdev(uobj->context->device);
> 210 struct ib_dm *ibdm = uobj->object;
> 211 struct mlx5_ib_dm_memic *dm = to_memic(ibdm);
> 212 struct mlx5_ib_dm_op_entry *op_entry;
> 213 int err;
> 214 u8 op;
> 215
> 216 err = uverbs_copy_from(&op, attrs, MLX5_IB_ATTR_DM_MAP_OP_ADDR_REQ_OP);
> ^^
> op is user controlled and in the 0-255 range.
>
> 217 if (err)
> 218 return err;
> 219
> 220 if (!(MLX5_CAP_DEV_MEM(dev->mdev, memic_operations) & BIT(op)))
> ^^^^^^^
> If it's more than 31 then this is undefined (shift wrapping generally).
> Plus it might trigger a UBSan warning at run time.
Thanks Dan, we will prepare the proper patch.
It should be something like this:
diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c
index 094bf85589db..dd4480aed1aa 100644
--- a/drivers/infiniband/hw/mlx5/dm.c
+++ b/drivers/infiniband/hw/mlx5/dm.c
@@ -217,6 +217,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DM_MAP_OP_ADDR)(
if (err)
return err;
+ if (op > 31)
+ return -EINVAL;
+
if (!(MLX5_CAP_DEV_MEM(dev->mdev, memic_operations) & BIT(op)))
return -EOPNOTSUPP;
>
> 221 return -EOPNOTSUPP;
> 222
> 223 mutex_lock(&dm->ops_xa_lock);
>
> regards,
> dan carpenter
prev parent reply other threads:[~2021-05-04 8:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-04 7:50 [bug report] RDMA/mlx5: Add support in MEMIC operations Dan Carpenter
2021-05-04 8:25 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJEFDmeCW3IjTdWc@unreal \
--to=leon@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-rdma@vger.kernel.org \
--cc=maorg@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.