From: coverity-bot <keescook@chromium.org>
To: Mustafa Ismail <mustafa.ismail@intel.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>,
Shiraz Saleem <shiraz.saleem@intel.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
linux-next@vger.kernel.org
Subject: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
Date: Tue, 8 Jun 2021 11:00:35 -0700 [thread overview]
Message-ID: <202106081059.A515282@keescook> (raw)
Hello!
This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20210608 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan
You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:
Wed Jun 2 19:55:18 2021 -0300
b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
(Editor's note: I believe the issues below are basically summarized as
"the contents of req came from userspace and did not get validated before
being used for things like array indexing, etc")
Coverity reported the following:
*** CID 1505160: (TAINTED_SCALAR)
/drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
2806 list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
2807 iwpbl->on_list = true;
2808 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
2809 break;
2810 case IRDMA_MEMREG_TYPE_CQ:
2811 use_pbles = (req.cq_pages > 1);
vvv CID 1505160: (TAINTED_SCALAR)
vvv Passing tainted variable "req.rq_pages" to a tainted sink.
2812 err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2813 if (err)
2814 goto error;
2815
2816 ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2817 ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793 iwmr->type = req.reg_type;
2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796 switch (req.reg_type) {
2797 case IRDMA_MEMREG_TYPE_QP:
2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv CID 1505160: (TAINTED_SCALAR)
vvv Passing tainted variable "req.cq_pages" to a tainted sink.
2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800 if (err)
2801 goto error;
2802
2803 ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804 ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793 iwmr->type = req.reg_type;
2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796 switch (req.reg_type) {
2797 case IRDMA_MEMREG_TYPE_QP:
2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv CID 1505160: (TAINTED_SCALAR)
vvv Passing tainted variable "req.sq_pages" to a tainted sink.
2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800 if (err)
2801 goto error;
2802
2803 ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804 ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793 iwmr->type = req.reg_type;
2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796 switch (req.reg_type) {
2797 case IRDMA_MEMREG_TYPE_QP:
2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv CID 1505160: (TAINTED_SCALAR)
vvv Passing tainted variable "req.rq_pages" to a tainted sink.
2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800 if (err)
2801 goto error;
2802
2803 ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804 ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
2806 list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
2807 iwpbl->on_list = true;
2808 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
2809 break;
2810 case IRDMA_MEMREG_TYPE_CQ:
2811 use_pbles = (req.cq_pages > 1);
vvv CID 1505160: (TAINTED_SCALAR)
vvv Passing tainted variable "req.sq_pages" to a tainted sink.
2812 err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2813 if (err)
2814 goto error;
2815
2816 ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2817 ibucontext);
If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Thanks for your attention!
--
Coverity-bot
next reply other threads:[~2021-06-08 18:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 18:00 coverity-bot [this message]
2021-06-15 15:59 ` Coverity: irdma_reg_user_mr(): TAINTED_SCALAR Saleem, Shiraz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202106081059.A515282@keescook \
--to=keescook@chromium.org \
--cc=gustavo@embeddedor.com \
--cc=jgg@nvidia.com \
--cc=linux-next@vger.kernel.org \
--cc=mustafa.ismail@intel.com \
--cc=shiraz.saleem@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox