[PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size
@ 2025-07-01 14:40 Artem Sadovnikov
  2025-07-11 21:00 ` Alex Williamson
  2025-07-16 20:20 ` Alex Williamson
  0 siblings, 2 replies; 4+ messages in thread
From: Artem Sadovnikov @ 2025-07-01 14:40 UTC (permalink / raw)
  To: kvm
  Cc: Artem Sadovnikov, Yishai Hadas, Jason Gunthorpe, Shameer Kolothum,
	Kevin Tian, Alex Williamson, linux-kernel, lvc-project

MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
used as power of 2 for max_msg_size. This can lead to multiplication
overflow between max_msg_size (u32) and integer constant, and afterwards
incorrect value is being written to rq_size.

Fix this issue by extending integer constant to u64 type.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Suggested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
---
Changes from v1:
- The constant type was changed instead of variable type.
- The patch name was accidentally cut and is now fixed.
- LKML: https://lore.kernel.org/all/20250629095843.13349-1-a.sadovnikov@ispras.ru/
---
 drivers/vfio/pci/mlx5/cmd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
index 5b919a0b2524..a92b095b90f6 100644
--- a/drivers/vfio/pci/mlx5/cmd.c
+++ b/drivers/vfio/pci/mlx5/cmd.c
@@ -1523,8 +1523,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
 	log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
 	max_msg_size = (1ULL << log_max_msg_size);
 	/* The RQ must hold at least 4 WQEs/messages for successful QP creation */
-	if (rq_size < 4 * max_msg_size)
-		rq_size = 4 * max_msg_size;
+	if (rq_size < 4ULL * max_msg_size)
+		rq_size = 4ULL * max_msg_size;
 
 	memset(tracker, 0, sizeof(*tracker));
 	tracker->uar = mlx5_get_uars_page(mdev);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size
  2025-07-01 14:40 [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size Artem Sadovnikov
@ 2025-07-11 21:00 ` Alex Williamson
  2025-07-13  7:56   ` Yishai Hadas
  2025-07-16 20:20 ` Alex Williamson
  1 sibling, 1 reply; 4+ messages in thread
From: Alex Williamson @ 2025-07-11 21:00 UTC (permalink / raw)
  To: Artem Sadovnikov
  Cc: kvm, Yishai Hadas, Jason Gunthorpe, Shameer Kolothum, Kevin Tian,
	linux-kernel, lvc-project

On Tue,  1 Jul 2025 14:40:17 +0000
Artem Sadovnikov <a.sadovnikov@ispras.ru> wrote:

> MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
> used as power of 2 for max_msg_size. This can lead to multiplication
> overflow between max_msg_size (u32) and integer constant, and afterwards
> incorrect value is being written to rq_size.
> 
> Fix this issue by extending integer constant to u64 type.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Suggested-by: Alex Williamson <alex.williamson@redhat.com>
> Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
> ---
> Changes from v1:
> - The constant type was changed instead of variable type.
> - The patch name was accidentally cut and is now fixed.
> - LKML: https://lore.kernel.org/all/20250629095843.13349-1-a.sadovnikov@ispras.ru/
> ---
>  drivers/vfio/pci/mlx5/cmd.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
> index 5b919a0b2524..a92b095b90f6 100644
> --- a/drivers/vfio/pci/mlx5/cmd.c
> +++ b/drivers/vfio/pci/mlx5/cmd.c
> @@ -1523,8 +1523,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
>  	log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
>  	max_msg_size = (1ULL << log_max_msg_size);
>  	/* The RQ must hold at least 4 WQEs/messages for successful QP creation */
> -	if (rq_size < 4 * max_msg_size)
> -		rq_size = 4 * max_msg_size;
> +	if (rq_size < 4ULL * max_msg_size)
> +		rq_size = 4ULL * max_msg_size;
>  
>  	memset(tracker, 0, sizeof(*tracker));
>  	tracker->uar = mlx5_get_uars_page(mdev);

LGTM, Yishai?  Thanks,

Alex


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size
  2025-07-11 21:00 ` Alex Williamson
@ 2025-07-13  7:56   ` Yishai Hadas
  0 siblings, 0 replies; 4+ messages in thread
From: Yishai Hadas @ 2025-07-13  7:56 UTC (permalink / raw)
  To: Alex Williamson, Artem Sadovnikov
  Cc: kvm, Jason Gunthorpe, Shameer Kolothum, Kevin Tian, linux-kernel,
	lvc-project

On 12/07/2025 0:00, Alex Williamson wrote:
> On Tue,  1 Jul 2025 14:40:17 +0000
> Artem Sadovnikov <a.sadovnikov@ispras.ru> wrote:
> 
>> MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
>> used as power of 2 for max_msg_size. This can lead to multiplication
>> overflow between max_msg_size (u32) and integer constant, and afterwards
>> incorrect value is being written to rq_size.
>>
>> Fix this issue by extending integer constant to u64 type.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Suggested-by: Alex Williamson <alex.williamson@redhat.com>
>> Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
>> ---
>> Changes from v1:
>> - The constant type was changed instead of variable type.
>> - The patch name was accidentally cut and is now fixed.
>> - LKML: https://lore.kernel.org/all/20250629095843.13349-1-a.sadovnikov@ispras.ru/
>> ---
>>   drivers/vfio/pci/mlx5/cmd.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
>> index 5b919a0b2524..a92b095b90f6 100644
>> --- a/drivers/vfio/pci/mlx5/cmd.c
>> +++ b/drivers/vfio/pci/mlx5/cmd.c
>> @@ -1523,8 +1523,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
>>   	log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
>>   	max_msg_size = (1ULL << log_max_msg_size);
>>   	/* The RQ must hold at least 4 WQEs/messages for successful QP creation */
>> -	if (rq_size < 4 * max_msg_size)
>> -		rq_size = 4 * max_msg_size;
>> +	if (rq_size < 4ULL * max_msg_size)
>> +		rq_size = 4ULL * max_msg_size;
>>   
>>   	memset(tracker, 0, sizeof(*tracker));
>>   	tracker->uar = mlx5_get_uars_page(mdev);
> 
> LGTM, Yishai?  Thanks,
> 
> Alex
> 

Reviewed-by: Yishai Hadas <yishaih@nvidia.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size
  2025-07-01 14:40 [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size Artem Sadovnikov
  2025-07-11 21:00 ` Alex Williamson
@ 2025-07-16 20:20 ` Alex Williamson
  1 sibling, 0 replies; 4+ messages in thread
From: Alex Williamson @ 2025-07-16 20:20 UTC (permalink / raw)
  To: Artem Sadovnikov
  Cc: kvm, Yishai Hadas, Jason Gunthorpe, Shameer Kolothum, Kevin Tian,
	linux-kernel, lvc-project

On Tue,  1 Jul 2025 14:40:17 +0000
Artem Sadovnikov <a.sadovnikov@ispras.ru> wrote:

> MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
> used as power of 2 for max_msg_size. This can lead to multiplication
> overflow between max_msg_size (u32) and integer constant, and afterwards
> incorrect value is being written to rq_size.
> 
> Fix this issue by extending integer constant to u64 type.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Suggested-by: Alex Williamson <alex.williamson@redhat.com>
> Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
> ---
> Changes from v1:
> - The constant type was changed instead of variable type.
> - The patch name was accidentally cut and is now fixed.
> - LKML: https://lore.kernel.org/all/20250629095843.13349-1-a.sadovnikov@ispras.ru/
> ---
>  drivers/vfio/pci/mlx5/cmd.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
> index 5b919a0b2524..a92b095b90f6 100644
> --- a/drivers/vfio/pci/mlx5/cmd.c
> +++ b/drivers/vfio/pci/mlx5/cmd.c
> @@ -1523,8 +1523,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
>  	log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
>  	max_msg_size = (1ULL << log_max_msg_size);
>  	/* The RQ must hold at least 4 WQEs/messages for successful QP creation */
> -	if (rq_size < 4 * max_msg_size)
> -		rq_size = 4 * max_msg_size;
> +	if (rq_size < 4ULL * max_msg_size)
> +		rq_size = 4ULL * max_msg_size;
>  
>  	memset(tracker, 0, sizeof(*tracker));
>  	tracker->uar = mlx5_get_uars_page(mdev);

Applied to vfio next branch for v6.17.  Thanks,

Alex


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-07-16 20:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-01 14:40 [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size Artem Sadovnikov
2025-07-11 21:00 ` Alex Williamson
2025-07-13  7:56   ` Yishai Hadas
2025-07-16 20:20 ` Alex Williamson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).