From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Tue, 11 Jun 2019 10:07:24 +0000 Subject: Re: [PATCH] IB/mlx4: prevent undefined shift in set_user_sq_size() Message-Id: <20190611100724.GB1915@kadam> List-Id: References: <20190608092231.GA28890@mwanda> <20190610132849.GD18468@ziepe.ca> In-Reply-To: <20190610132849.GD18468@ziepe.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Jason Gunthorpe Cc: Yishai Hadas , Doug Ledford , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org On Mon, Jun 10, 2019 at 10:28:49AM -0300, Jason Gunthorpe wrote: > On Sat, Jun 08, 2019 at 12:22:31PM +0300, Dan Carpenter wrote: > > The ucmd->log_sq_bb_count is a u8 that comes from the user. If it's > > larger than the number of bits in an int then that's undefined behavior. > > It turns out this doesn't really cause an issue at runtime but it's > > still nice to clean it up. > > > > Signed-off-by: Dan Carpenter > > --- > > drivers/infiniband/hw/mlx4/qp.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c > > index 5221c0794d1d..9f6eb23e8044 100644 > > --- a/drivers/infiniband/hw/mlx4/qp.c > > +++ b/drivers/infiniband/hw/mlx4/qp.c > > @@ -439,7 +439,8 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev, > > struct mlx4_ib_create_qp *ucmd) > > { > > /* Sanity check SQ size before proceeding */ > > - if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > + if (ucmd->log_sq_bb_count > 31 || > > + (1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes || > > Surely this should use check_shl_overflow() ? > Same for the other one I sent. I'll resend in a couple days. No rush. regards, dan carpenter