* [PATCH v2 rdma-next 0/2] irdma coverity fixes
@ 2021-06-25 16:23 Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw)
To: jgg, dledford; +Cc: linux-rdma, shiraz.saleem, mustafa.ismail, Tatyana Nikolova
This is a short series of coverity fixes for irdma.
Shiraz Saleem (2):
RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
v1->v2
* Add u32 sums for u16 variables to show that the operations are overflow safe.
* Replace shifting ops with DIV_ROUND_UP_ULL macro to get bits_needed
drivers/infiniband/hw/irdma/pble.h | 2 +-
drivers/infiniband/hw/irdma/utils.c | 4 ++--
drivers/infiniband/hw/irdma/verbs.c | 26 ++++++++++++++++++++------
3 files changed, 23 insertions(+), 9 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
@ 2021-06-25 16:23 ` Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw)
To: jgg, dledford
Cc: linux-rdma, shiraz.saleem, mustafa.ismail, coverity-bot,
Tatyana Nikolova
From: Shiraz Saleem <shiraz.saleem@intel.com>
The contents of user-space req object is used in array indexing
in irdma_handle_q_mem without checking for valid values.
Guard against bad input on each of these req object pages by
limiting them to number of pages that make up the region.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
drivers/infiniband/hw/irdma/verbs.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 5bb46a4d26ff..9712f6902ba8 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2358,12 +2358,10 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
struct irdma_cq_mr *cqmr = &iwpbl->cq_mr;
struct irdma_hmc_pble *hmc_p;
u64 *arr = iwmr->pgaddrmem;
- u32 pg_size;
+ u32 pg_size, total;
int err = 0;
- int total;
bool ret = true;
- total = req->sq_pages + req->rq_pages + req->cq_pages;
pg_size = iwmr->page_size;
err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles);
if (err)
@@ -2380,6 +2378,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
switch (iwmr->type) {
case IRDMA_MEMREG_TYPE_QP:
+ total = req->sq_pages + req->rq_pages;
hmc_p = &qpmr->sq_pbl;
qpmr->shadow = (dma_addr_t)arr[total];
@@ -2406,7 +2405,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
hmc_p = &cqmr->cq_pbl;
if (!cqmr->split)
- cqmr->shadow = (dma_addr_t)arr[total];
+ cqmr->shadow = (dma_addr_t)arr[req->cq_pages];
if (use_pbles)
ret = irdma_check_mem_contiguous(arr, req->cq_pages,
@@ -2747,7 +2746,8 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
struct irdma_mr *iwmr;
struct ib_umem *region;
struct irdma_mem_reg_req req;
- u32 stag = 0;
+ u32 total, stag = 0;
+ u8 shadow_pgcnt = 1;
bool use_pbles = false;
unsigned long flags;
int err = -EINVAL;
@@ -2801,7 +2801,13 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
switch (req.reg_type) {
case IRDMA_MEMREG_TYPE_QP:
- use_pbles = ((req.sq_pages + req.rq_pages) > 2);
+ total = req.sq_pages + req.rq_pages + shadow_pgcnt;
+ if (total > iwmr->page_cnt) {
+ err = -EINVAL;
+ goto error;
+ }
+ total = req.sq_pages + req.rq_pages;
+ use_pbles = (total > 2);
err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
if (err)
goto error;
@@ -2814,6 +2820,14 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
break;
case IRDMA_MEMREG_TYPE_CQ:
+ if (iwdev->rf->sc_dev.hw_attrs.uk_attrs.feature_flags & IRDMA_FEATURE_CQ_RESIZE)
+ shadow_pgcnt = 0;
+ total = req.cq_pages + shadow_pgcnt;
+ if (total > iwmr->page_cnt) {
+ err = -EINVAL;
+ goto error;
+ }
+
use_pbles = (req.cq_pages > 1);
err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
if (err)
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
@ 2021-06-25 16:23 ` Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw)
To: jgg, dledford
Cc: linux-rdma, shiraz.saleem, mustafa.ismail, coverity-bot,
Tatyana Nikolova
From: Shiraz Saleem <shiraz.saleem@intel.com>
Coverity reports a signed 32-bit overflow on "1 << pprm->pble_shift" when
used expression to compute bits_needed that expects 64bit, unsigned.
Fix this by using the 1ULL in the left shift operator and convert
mem_size to u64.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505157 ("Integer handling issues")
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
drivers/infiniband/hw/irdma/pble.h | 2 +-
drivers/infiniband/hw/irdma/utils.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/pble.h b/drivers/infiniband/hw/irdma/pble.h
index e4e635dc4fd9..e1b3b8118a2c 100644
--- a/drivers/infiniband/hw/irdma/pble.h
+++ b/drivers/infiniband/hw/irdma/pble.h
@@ -121,7 +121,7 @@ enum irdma_status_code irdma_prm_add_pble_mem(struct irdma_pble_prm *pprm,
struct irdma_chunk *pchunk);
enum irdma_status_code
irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
- struct irdma_pble_chunkinfo *chunkinfo, u32 mem_size,
+ struct irdma_pble_chunkinfo *chunkinfo, u64 mem_size,
u64 **vaddr, u64 *fpm_addr);
void irdma_prm_return_pbles(struct irdma_pble_prm *pprm,
struct irdma_pble_chunkinfo *chunkinfo);
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index ea1df5918c11..5bbe44e54f9a 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -2314,7 +2314,7 @@ enum irdma_status_code irdma_prm_add_pble_mem(struct irdma_pble_prm *pprm,
*/
enum irdma_status_code
irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
- struct irdma_pble_chunkinfo *chunkinfo, u32 mem_size,
+ struct irdma_pble_chunkinfo *chunkinfo, u64 mem_size,
u64 **vaddr, u64 *fpm_addr)
{
u64 bits_needed;
@@ -2326,7 +2326,7 @@ irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
*vaddr = NULL;
*fpm_addr = 0;
- bits_needed = (mem_size + (1 << pprm->pble_shift) - 1) >> pprm->pble_shift;
+ bits_needed = DIV_ROUND_UP_ULL(mem_size, BIT_ULL(pprm->pble_shift));
spin_lock_irqsave(&pprm->prm_lock, flags);
while (chunk_entry != &pprm->clist) {
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 rdma-next 0/2] irdma coverity fixes
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
@ 2021-06-25 17:35 ` Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2021-06-25 17:35 UTC (permalink / raw)
To: Tatyana Nikolova; +Cc: dledford, linux-rdma, shiraz.saleem, mustafa.ismail
On Fri, Jun 25, 2021 at 11:23:27AM -0500, Tatyana Nikolova wrote:
> This is a short series of coverity fixes for irdma.
>
> Shiraz Saleem (2):
> RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
> RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
Applied to for-next, thanks
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-25 17:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox