From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzkaller <syzkaller@googlegroups.com>,
Boris Pismenny <borisp@mellanox.com>,
Leon Romanovsky <leon@kernel.org>,
Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.14 69/77] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
Date: Fri, 23 Mar 2018 10:54:43 +0100 [thread overview]
Message-ID: <20180323094146.926683530@linuxfoundation.org> (raw)
In-Reply-To: <20180323094142.260022880@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Pismenny <borisp@mellanox.com>
commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream.
This patch validates user provided input to prevent integer overflow due
to integer manipulation in the mlx5_ib_create_srq function.
Cc: syzkaller <syzkaller@googlegroups.com>
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------
include/linux/mlx5/driver.h | 4 ++--
2 files changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -241,8 +241,8 @@ struct ib_srq *mlx5_ib_create_srq(struct
{
struct mlx5_ib_dev *dev = to_mdev(pd->device);
struct mlx5_ib_srq *srq;
- int desc_size;
- int buf_size;
+ size_t desc_size;
+ size_t buf_size;
int err;
struct mlx5_srq_attr in = {0};
__u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
@@ -266,15 +266,18 @@ struct ib_srq *mlx5_ib_create_srq(struct
desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
+ if (desc_size == 0 || srq->msrq.max_gs > desc_size)
+ return ERR_PTR(-EINVAL);
desc_size = roundup_pow_of_two(desc_size);
- desc_size = max_t(int, 32, desc_size);
+ desc_size = max_t(size_t, 32, desc_size);
+ if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg))
+ return ERR_PTR(-EINVAL);
srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) /
sizeof(struct mlx5_wqe_data_seg);
srq->msrq.wqe_shift = ilog2(desc_size);
buf_size = srq->msrq.max * desc_size;
- mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n",
- desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs,
- srq->msrq.max_avail_gather);
+ if (buf_size < desc_size)
+ return ERR_PTR(-EINVAL);
in.type = init_attr->srq_type;
if (pd->uobject)
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -432,8 +432,8 @@ struct mlx5_core_srq {
struct mlx5_core_rsc_common common; /* must be first */
u32 srqn;
int max;
- int max_gs;
- int max_avail_gather;
+ size_t max_gs;
+ size_t max_avail_gather;
int wqe_shift;
void (*event) (struct mlx5_core_srq *, enum mlx5_event);
next prev parent reply other threads:[~2018-03-23 10:03 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-23 9:53 [PATCH 4.14 00/77] 4.14.30-stable review Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 01/77] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 02/77] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 03/77] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 04/77] Bluetooth: btqcomsmd: Fix skb double free corruption Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 05/77] cpufreq: longhaul: Revert transition_delay_us to 200 ms Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 06/77] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 07/77] drm/msm: fix leak in failed get_pages Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 08/77] net: fec: add phy_reset_after_clk_enable() support Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 10/77] hv_netvsc: Fix the receive buffer size limit Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 11/77] hv_netvsc: Fix the TX/RX buffer default sizes Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 12/77] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 13/77] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 14/77] rtlwifi: always initialize variables given to RT_TRACE() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 15/77] media: bt8xx: Fix err bt878_probe() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 16/77] ath10k: handling qos at STA side based on AP WMM enable/disable Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 17/77] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 19/77] tty: goldfish: Enable earlycon only if built-in Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 20/77] serial: 8250_dw: Disable clock on error Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 21/77] cros_ec: fix nul-termination for firmware build info Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 22/77] watchdog: Fix potential kref imbalance when opening watchdog Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 23/77] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 24/77] platform/chrome: Use proper protocol transfer function Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.14 25/77] dmaengine: zynqmp_dma: Fix race condition in the probe Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 26/77] drm/tilcdc: ensure nonatomic iowrite64 is not used Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 27/77] mmc: avoid removing non-removable hosts during suspend Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 28/77] mmc: block: fix logical error to avoid memory leak Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 29/77] /dev/mem: Add bounce buffer for copy-out Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 30/77] net: phy: meson-gxl: check phy_write return value Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 31/77] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 32/77] sfp: fix non-detection of PHY Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 33/77] media: s5p-mfc: Fix lock contention - request_firmware() once Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 34/77] rtc: ac100: Fix multiple race conditions Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 35/77] IB/ipoib: Avoid memory leak if the SA returns a different DGID Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 36/77] RDMA/cma: Use correct size when writing netlink stats Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 37/77] IB/umem: Fix use of npages/nmap fields Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 38/77] iser-target: avoid reinitializing rdma contexts for isert commands Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 39/77] vgacon: Set VGA struct resource types Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 40/77] omapdrm: panel: fix compatible vendor string for td028ttec1 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 41/77] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 42/77] drm/omap: DMM: Check for DMM readiness after successful transaction commit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 43/77] pty: cancel pty slave port bufs work in tty_release Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 44/77] coresight: Fix disabling of CoreSight TPIU Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 45/77] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 46/77] PCI: endpoint: Fix find_first_zero_bit() usage Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 47/77] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 48/77] media: davinci: fix a debug printk Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 49/77] pinctrl: Really force states during suspend/resume Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 50/77] pinctrl: rockchip: enable clock when reading pin direction register Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 51/77] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 52/77] ip6_vti: adjust vti mtu according to mtu of lower device Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 53/77] ip_gre: fix error path when erspan_rcv failed Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 54/77] ip_gre: fix potential memory leak in erspan_rcv Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 55/77] soc: qcom: smsm: fix child-node lookup Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 56/77] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 57/77] scsi: lpfc: Fix issues connecting with nvme initiator Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 58/77] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 59/77] ARM: dts: aspeed-evb: Add unit name to memory node Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 60/77] nfsd4: permit layoutget of executable-only files Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 61/77] clk: at91: pmc: Wait for clocks when resuming Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 62/77] clk: Dont touch hardware when reparenting during registration Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 63/77] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 64/77] clk: si5351: Rename internal plls to avoid name collisions Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 65/77] crypto: artpec6 - set correct iv size for gcm(aes) Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 66/77] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 67/77] scsi: mpt3sas: fix oops in error handlers after shutdown/unload Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 68/77] scsi: mpt3sas: wait for and flush running commands on shutdown/unload Greg Kroah-Hartman
2018-03-23 9:54 ` Greg Kroah-Hartman [this message]
2018-03-23 9:54 ` [PATCH 4.14 70/77] IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 71/77] serial: 8250_pci: Dont fail on multiport card class Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 72/77] RDMA/core: Do not use invalid destination in determining port reuse Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 73/77] clk: migrate the count of orphaned clocks at init Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 74/77] RDMA/ucma: Fix access to non-initialized CM_ID object Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 75/77] RDMA/ucma: Dont allow join attempts for unsupported AF family Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 76/77] kbuild: fix linker feature test macros when cross compiling with Clang Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.14 77/77] RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file Greg Kroah-Hartman
2018-03-23 20:47 ` [PATCH 4.14 00/77] 4.14.30-stable review Shuah Khan
2018-03-24 0:11 ` Guenter Roeck
2018-03-24 16:17 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180323094146.926683530@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=borisp@mellanox.com \
--cc=dledford@redhat.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).