| Message ID | 20190608092231.GA28890@mwanda (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | IB/mlx4: prevent undefined shift in set_user_sq_size() | expand |
On Sat, Jun 08, 2019 at 12:22:31PM +0300, Dan Carpenter wrote: > The ucmd->log_sq_bb_count is a u8 that comes from the user. If it's > larger than the number of bits in an int then that's undefined behavior. > It turns out this doesn't really cause an issue at runtime but it's > still nice to clean it up. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/infiniband/hw/mlx4/qp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c > index 5221c0794d1d..9f6eb23e8044 100644 > --- a/drivers/infiniband/hw/mlx4/qp.c > +++ b/drivers/infiniband/hw/mlx4/qp.c > @@ -439,7 +439,8 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev, > struct mlx4_ib_create_qp *ucmd) > { > /* Sanity check SQ size before proceeding */ > - if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > + if (ucmd->log_sq_bb_count > 31 || > + (1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || Surely this should use check_shl_overflow() ? Jason
On Mon, Jun 10, 2019 at 10:28:49AM -0300, Jason Gunthorpe wrote: > On Sat, Jun 08, 2019 at 12:22:31PM +0300, Dan Carpenter wrote: > > The ucmd->log_sq_bb_count is a u8 that comes from the user. If it's > > larger than the number of bits in an int then that's undefined behavior. > > It turns out this doesn't really cause an issue at runtime but it's > > still nice to clean it up. > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > drivers/infiniband/hw/mlx4/qp.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c > > index 5221c0794d1d..9f6eb23e8044 100644 > > --- a/drivers/infiniband/hw/mlx4/qp.c > > +++ b/drivers/infiniband/hw/mlx4/qp.c > > @@ -439,7 +439,8 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev, > > struct mlx4_ib_create_qp *ucmd) > > { > > /* Sanity check SQ size before proceeding */ > > - if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > + if (ucmd->log_sq_bb_count > 31 || > > + (1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > Surely this should use check_shl_overflow() ? Yes > > Jason
On Mon, Jun 10, 2019 at 10:28:49AM -0300, Jason Gunthorpe wrote: > On Sat, Jun 08, 2019 at 12:22:31PM +0300, Dan Carpenter wrote: > > The ucmd->log_sq_bb_count is a u8 that comes from the user. If it's > > larger than the number of bits in an int then that's undefined behavior. > > It turns out this doesn't really cause an issue at runtime but it's > > still nice to clean it up. > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > drivers/infiniband/hw/mlx4/qp.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c > > index 5221c0794d1d..9f6eb23e8044 100644 > > --- a/drivers/infiniband/hw/mlx4/qp.c > > +++ b/drivers/infiniband/hw/mlx4/qp.c > > @@ -439,7 +439,8 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev, > > struct mlx4_ib_create_qp *ucmd) > > { > > /* Sanity check SQ size before proceeding */ > > - if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > + if (ucmd->log_sq_bb_count > 31 || > > + (1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > Surely this should use check_shl_overflow() ? > Same for the other one I sent. I'll resend in a couple days. No rush. regards, dan carpenter
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 5221c0794d1d..9f6eb23e8044 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -439,7 +439,8 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev, struct mlx4_ib_create_qp *ucmd) { /* Sanity check SQ size before proceeding */ - if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || + if (ucmd->log_sq_bb_count > 31 || + (1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || ucmd->log_sq_stride > ilog2(roundup_pow_of_two(dev->dev->caps.max_sq_desc_sz)) || ucmd->log_sq_stride < MLX4_IB_MIN_SQ_STRIDE)
The ucmd->log_sq_bb_count is a u8 that comes from the user. If it's larger than the number of bits in an int then that's undefined behavior. It turns out this doesn't really cause an issue at runtime but it's still nice to clean it up. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/infiniband/hw/mlx4/qp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)