From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <kees@kernel.org>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>,
tariqt@nvidia.com, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, pabeni@redhat.com, yishaih@nvidia.com,
netdev@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 166/212] net/mlx4_core: Avoid impossible mlx4_db_alloc() order value
Date: Mon, 5 May 2025 19:05:38 -0400 [thread overview]
Message-ID: <20250505230624.2692522-166-sashal@kernel.org> (raw)
In-Reply-To: <20250505230624.2692522-1-sashal@kernel.org>
From: Kees Cook <kees@kernel.org>
[ Upstream commit 4a6f18f28627e121bd1f74b5fcc9f945d6dbeb1e ]
GCC can see that the value range for "order" is capped, but this leads
it to consider that it might be negative, leading to a false positive
warning (with GCC 15 with -Warray-bounds -fdiagnostics-details):
../drivers/net/ethernet/mellanox/mlx4/alloc.c:691:47: error: array subscript -1 is below array bounds of 'long unsigned int *[2]' [-Werror=array-bounds=]
691 | i = find_first_bit(pgdir->bits[o], MLX4_DB_PER_PAGE >> o);
| ~~~~~~~~~~~^~~
'mlx4_alloc_db_from_pgdir': events 1-2
691 | i = find_first_bit(pgdir->bits[o], MLX4_DB_PER_PAGE >> o); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | | | (2) out of array bounds here
| (1) when the condition is evaluated to true In file included from ../drivers/net/ethernet/mellanox/mlx4/mlx4.h:53,
from ../drivers/net/ethernet/mellanox/mlx4/alloc.c:42:
../include/linux/mlx4/device.h:664:33: note: while referencing 'bits'
664 | unsigned long *bits[2];
| ^~~~
Switch the argument to unsigned int, which removes the compiler needing
to consider negative values.
Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://patch.msgid.link/20250210174504.work.075-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/alloc.c | 6 +++---
include/linux/mlx4/device.h | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/alloc.c b/drivers/net/ethernet/mellanox/mlx4/alloc.c
index b330020dc0d67..f2bded847e61d 100644
--- a/drivers/net/ethernet/mellanox/mlx4/alloc.c
+++ b/drivers/net/ethernet/mellanox/mlx4/alloc.c
@@ -682,9 +682,9 @@ static struct mlx4_db_pgdir *mlx4_alloc_db_pgdir(struct device *dma_device)
}
static int mlx4_alloc_db_from_pgdir(struct mlx4_db_pgdir *pgdir,
- struct mlx4_db *db, int order)
+ struct mlx4_db *db, unsigned int order)
{
- int o;
+ unsigned int o;
int i;
for (o = order; o <= 1; ++o) {
@@ -712,7 +712,7 @@ static int mlx4_alloc_db_from_pgdir(struct mlx4_db_pgdir *pgdir,
return 0;
}
-int mlx4_db_alloc(struct mlx4_dev *dev, struct mlx4_db *db, int order)
+int mlx4_db_alloc(struct mlx4_dev *dev, struct mlx4_db *db, unsigned int order)
{
struct mlx4_priv *priv = mlx4_priv(dev);
struct mlx4_db_pgdir *pgdir;
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index 6646634a0b9d4..0cb296f0f8d1d 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -1115,7 +1115,7 @@ int mlx4_write_mtt(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
int mlx4_buf_write_mtt(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
struct mlx4_buf *buf);
-int mlx4_db_alloc(struct mlx4_dev *dev, struct mlx4_db *db, int order);
+int mlx4_db_alloc(struct mlx4_dev *dev, struct mlx4_db *db, unsigned int order);
void mlx4_db_free(struct mlx4_dev *dev, struct mlx4_db *db);
int mlx4_alloc_hwq_res(struct mlx4_dev *dev, struct mlx4_hwq_resources *wqres,
--
2.39.5
next prev parent reply other threads:[~2025-05-05 23:11 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250505230624.2692522-1-sashal@kernel.org>
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 009/212] SUNRPC: Don't allow waiting for exiting tasks Sasha Levin
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 018/212] SUNRPC: rpc_clnt_set_transport() must not change the autobind setting Sasha Levin
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 019/212] SUNRPC: rpcbind should never reset the port to the value '0' Sasha Levin
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 051/212] tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() Sasha Levin
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 058/212] net/smc: use the correct ndev to find pnetid by pnetid table Sasha Levin
2025-05-05 23:03 ` [PATCH AUTOSEL 6.1 067/212] netfilter: conntrack: Bound nf_conntrack sysctl writes Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 072/212] ipv6: save dontfrag in cork Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 083/212] tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 085/212] ieee802154: ca8210: Use proper setters and getters for bitwise types Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 090/212] net: phylink: use pl->link_interface in phylink_expects_phy() Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 095/212] net: ethernet: ti: cpsw_new: populate netdev of_node Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 096/212] net: pktgen: fix mpls maximum labels list parsing Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 099/212] ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config() Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 114/212] net/mlx5: Avoid report two health errors on same syndrome Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 115/212] selftests/net: have `gro.sh -t` return a correct exit code Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 118/212] net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 119/212] net: xgene-v2: remove incorrect ACPI_PTR annotation Sasha Levin
2025-05-05 23:04 ` [PATCH AUTOSEL 6.1 120/212] bonding: report duplicate MAC address in all situations Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 140/212] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 142/212] bpf: Prevent unsafe access to the sock fields in the BPF timestamping callback Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 148/212] eth: mlx4: don't try to complete XDP frames in netpoll Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 151/212] vxlan: Join / leave MC group after remote changes Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 153/212] net/mlx5: Modify LSB bitmask in temperature event to include only the first bit Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 154/212] net/mlx5: Apply rate-limiting to high temperature warning Sasha Levin
2025-05-05 23:05 ` Sasha Levin [this message]
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 174/212] net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 175/212] net/mlx5e: set the tx_queue_len for pfifo_fast Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 176/212] net/mlx5e: reduce rep rxq depth to 256 for ECPF Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 180/212] ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure() Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 181/212] r8152: add vendor/device ID pair for Dell Alienware AW1022z Sasha Levin
2025-05-05 23:05 ` [PATCH AUTOSEL 6.1 187/212] vxlan: Annotate FDB data races Sasha Levin
2025-05-05 23:06 ` [PATCH AUTOSEL 6.1 188/212] r8169: don't scan PHY addresses > 0 Sasha Levin
2025-05-05 23:06 ` [PATCH AUTOSEL 6.1 189/212] net-sysfs: prevent uncleared queues from being re-added Sasha Levin
2025-05-05 23:06 ` [PATCH AUTOSEL 6.1 194/212] ice: count combined queues using Rx/Tx count Sasha Levin
2025-05-06 9:26 ` [Intel-wired-lan] " Loktionov, Aleksandr
2025-05-05 23:06 ` [PATCH AUTOSEL 6.1 195/212] net/mana: fix warning in the writer of client oob Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250505230624.2692522-166-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tariqt@nvidia.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).