linux/drivers/infiniband/hw
Leon Romanovsky 28e9091e31 RDMA/mlx5: Fix integer overflow while resizing CQ
The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:

=======================================================================
UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
signed integer overflow:
64870 * 65536 cannot be represented in type 'int'
CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
 dump_stack+0xde/0x164
 ? dma_virt_map_sg+0x22c/0x22c
 ubsan_epilogue+0xe/0x81
 handle_overflow+0x1f3/0x251
 ? __ubsan_handle_negate_overflow+0x19b/0x19b
 ? lock_acquire+0x440/0x440
 mlx5_ib_resize_cq+0x17e7/0x1e40
 ? cyc2ns_read_end+0x10/0x10
 ? native_read_msr_safe+0x6c/0x9b
 ? cyc2ns_read_end+0x10/0x10
 ? mlx5_ib_modify_cq+0x220/0x220
 ? sched_clock_cpu+0x18/0x200
 ? lookup_get_idr_uobject+0x200/0x200
 ? rdma_lookup_get_uobject+0x145/0x2f0
 ib_uverbs_resize_cq+0x207/0x3e0
 ? ib_uverbs_ex_create_cq+0x250/0x250
 ib_uverbs_write+0x7f9/0xef0
 ? cyc2ns_read_end+0x10/0x10
 ? print_irqtrace_events+0x280/0x280
 ? ib_uverbs_ex_create_cq+0x250/0x250
 ? uverbs_devnode+0x110/0x110
 ? sched_clock_cpu+0x18/0x200
 ? do_raw_spin_trylock+0x100/0x100
 ? __lru_cache_add+0x16e/0x290
 __vfs_write+0x10d/0x700
 ? uverbs_devnode+0x110/0x110
 ? kernel_read+0x170/0x170
 ? sched_clock_cpu+0x18/0x200
 ? security_file_permission+0x93/0x260
 vfs_write+0x1b0/0x550
 SyS_write+0xc7/0x1a0
 ? SyS_read+0x1a0/0x1a0
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL_64_fastpath+0x1e/0x8b
RIP: 0033:0x433549
RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
=======================================================================

Cc: syzkaller <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # 3.13
Fixes: bde51583f4 ("IB/mlx5: Add support for resize CQ")
Reported-by: Noa Osherovich <noaos@mellanox.com>
Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2018-03-09 18:10:48 -05:00
..
bnxt_re RDMA/bnxt_re: Avoid Hard lockup during error CQE processing 2018-03-06 20:08:39 -07:00
cxgb3 Updates for 4.15 kernel merge window 2017-11-15 14:54:53 -08:00
cxgb4 iw_cxgb4: Change error/warn prints to pr_debug 2017-12-29 11:09:23 -07:00
hfi1 vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
hns RDMA/hns: Fix the endian problem for hns 2018-02-05 10:48:48 -05:00
i40iw i40iw: Free IEQ resources 2018-01-16 20:38:18 -07:00
mlx4 IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE 2018-03-06 20:08:38 -07:00
mlx5 RDMA/mlx5: Fix integer overflow while resizing CQ 2018-03-09 18:10:48 -05:00
mthca IB/mthca: remove mthca_user.h 2018-01-28 14:07:16 -07:00
nes nes: Change accelerated flag to bool 2017-12-22 13:33:30 -07:00
ocrdma IB/ocrdma: Use zeroing memory allocator than allocator/memset 2018-01-02 11:20:13 -07:00
qedr RDMA/qedr: Fix iWARP write and send with immediate 2018-03-06 19:57:37 -07:00
qib vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
usnic drivers: infiniband: remove duplicate includes 2017-12-22 09:39:35 -07:00
vmw_pvrdma RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file 2018-02-15 15:31:28 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00