Linux-RDMA Archive on lore.kernel.org
 help / color / Atom feed
* Re: [PATCH] RDMA/hns: prevent undefined behavior in hns_roce_set_user_sq_size()
       [not found] <20190608092514.GC28890@mwanda>
@ 2019-10-07 12:18 ` Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-10-07 12:18 UTC (permalink / raw)
  To: Lijun Ou
  Cc: Wei Hu(Xavier),
	Doug Ledford, Jason Gunthorpe, linux-rdma, kernel-janitors

This one still needs to be applied.

regards,
dan carpenter

On Sat, Jun 08, 2019 at 12:25:14PM +0300, Dan Carpenter wrote:
> The "ucmd->log_sq_bb_count" variable is a user controlled variable in
> the 0-255 range.  If we shift more than then number of bits in an int
> then it's undefined behavior (it shift wraps).  It turns out this
> doesn't cause any real issues at runtime, but it's good to check anyway.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/infiniband/hw/hns/hns_roce_qp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
> index 8db2817a249e..006b3e7f4ed5 100644
> --- a/drivers/infiniband/hw/hns/hns_roce_qp.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
> @@ -342,7 +342,8 @@ static int hns_roce_set_user_sq_size(struct hns_roce_dev *hr_dev,
>  	u32 max_cnt;
>  
>  	/* Sanity check SQ size before proceeding */
> -	if ((u32)(1 << ucmd->log_sq_bb_count) > hr_dev->caps.max_wqes ||
> +	if (ucmd->log_sq_bb_count > 31 ||
> +	    (u32)(1 << ucmd->log_sq_bb_count) > hr_dev->caps.max_wqes ||
>  	     ucmd->log_sq_stride > max_sq_stride ||
>  	     ucmd->log_sq_stride < HNS_ROCE_IB_MIN_SQ_STRIDE) {
>  		dev_err(hr_dev->dev, "check SQ size error!\n");
> -- 
> 2.20.1

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20190608092514.GC28890@mwanda>
2019-10-07 12:18 ` [PATCH] RDMA/hns: prevent undefined behavior in hns_roce_set_user_sq_size() Dan Carpenter

Linux-RDMA Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-rdma/0 linux-rdma/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-rdma linux-rdma/ https://lore.kernel.org/linux-rdma \
		linux-rdma@vger.kernel.org linux-rdma@archiver.kernel.org
	public-inbox-index linux-rdma

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-rdma


AGPL code for this site: git clone https://public-inbox.org/ public-inbox