* [PATCH v2 rdma-next 0/2] irdma coverity fixes
@ 2021-06-25 16:23 Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw
To: jgg, dledford; +Cc: linux-rdma, shiraz.saleem, mustafa.ismail, Tatyana Nikolova
This is a short series of coverity fixes for irdma.
Shiraz Saleem (2):
RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
v1->v2
* Add u32 sums for u16 variables to show that the operations are overflow safe.
* Replace shifting ops with DIV_ROUND_UP_ULL macro to get bits_needed
drivers/infiniband/hw/irdma/pble.h | 2 +-
drivers/infiniband/hw/irdma/utils.c | 4 ++--
drivers/infiniband/hw/irdma/verbs.c | 26 ++++++++++++++++++++------
3 files changed, 23 insertions(+), 9 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
@ 2021-06-25 16:23 ` Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw
To: jgg, dledford
Cc: linux-rdma, shiraz.saleem, mustafa.ismail, coverity-bot,
Tatyana Nikolova
From: Shiraz Saleem <shiraz.saleem@intel.com>
The contents of user-space req object is used in array indexing
in irdma_handle_q_mem without checking for valid values.
Guard against bad input on each of these req object pages by
limiting them to number of pages that make up the region.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
drivers/infiniband/hw/irdma/verbs.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 5bb46a4d26ff..9712f6902ba8 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2358,12 +2358,10 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
struct irdma_cq_mr *cqmr = &iwpbl->cq_mr;
struct irdma_hmc_pble *hmc_p;
u64 *arr = iwmr->pgaddrmem;
- u32 pg_size;
+ u32 pg_size, total;
int err = 0;
- int total;
bool ret = true;
- total = req->sq_pages + req->rq_pages + req->cq_pages;
pg_size = iwmr->page_size;
err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles);
if (err)
@@ -2380,6 +2378,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
switch (iwmr->type) {
case IRDMA_MEMREG_TYPE_QP:
+ total = req->sq_pages + req->rq_pages;
hmc_p = &qpmr->sq_pbl;
qpmr->shadow = (dma_addr_t)arr[total];
@@ -2406,7 +2405,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
hmc_p = &cqmr->cq_pbl;
if (!cqmr->split)
- cqmr->shadow = (dma_addr_t)arr[total];
+ cqmr->shadow = (dma_addr_t)arr[req->cq_pages];
if (use_pbles)
ret = irdma_check_mem_contiguous(arr, req->cq_pages,
@@ -2747,7 +2746,8 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
struct irdma_mr *iwmr;
struct ib_umem *region;
struct irdma_mem_reg_req req;
- u32 stag = 0;
+ u32 total, stag = 0;
+ u8 shadow_pgcnt = 1;
bool use_pbles = false;
unsigned long flags;
int err = -EINVAL;
@@ -2801,7 +2801,13 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
switch (req.reg_type) {
case IRDMA_MEMREG_TYPE_QP:
- use_pbles = ((req.sq_pages + req.rq_pages) > 2);
+ total = req.sq_pages + req.rq_pages + shadow_pgcnt;
+ if (total > iwmr->page_cnt) {
+ err = -EINVAL;
+ goto error;
+ }
+ total = req.sq_pages + req.rq_pages;
+ use_pbles = (total > 2);
err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
if (err)
goto error;
@@ -2814,6 +2820,14 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
break;
case IRDMA_MEMREG_TYPE_CQ:
+ if (iwdev->rf->sc_dev.hw_attrs.uk_attrs.feature_flags & IRDMA_FEATURE_CQ_RESIZE)
+ shadow_pgcnt = 0;
+ total = req.cq_pages + shadow_pgcnt;
+ if (total > iwmr->page_cnt) {
+ err = -EINVAL;
+ goto error;
+ }
+
use_pbles = (req.cq_pages > 1);
err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
if (err)
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
@ 2021-06-25 16:23 ` Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Tatyana Nikolova @ 2021-06-25 16:23 UTC (permalink / raw
To: jgg, dledford
Cc: linux-rdma, shiraz.saleem, mustafa.ismail, coverity-bot,
Tatyana Nikolova
From: Shiraz Saleem <shiraz.saleem@intel.com>
Coverity reports a signed 32-bit overflow on "1 << pprm->pble_shift" when
used expression to compute bits_needed that expects 64bit, unsigned.
Fix this by using the 1ULL in the left shift operator and convert
mem_size to u64.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505157 ("Integer handling issues")
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
drivers/infiniband/hw/irdma/pble.h | 2 +-
drivers/infiniband/hw/irdma/utils.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/pble.h b/drivers/infiniband/hw/irdma/pble.h
index e4e635dc4fd9..e1b3b8118a2c 100644
--- a/drivers/infiniband/hw/irdma/pble.h
+++ b/drivers/infiniband/hw/irdma/pble.h
@@ -121,7 +121,7 @@ enum irdma_status_code irdma_prm_add_pble_mem(struct irdma_pble_prm *pprm,
struct irdma_chunk *pchunk);
enum irdma_status_code
irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
- struct irdma_pble_chunkinfo *chunkinfo, u32 mem_size,
+ struct irdma_pble_chunkinfo *chunkinfo, u64 mem_size,
u64 **vaddr, u64 *fpm_addr);
void irdma_prm_return_pbles(struct irdma_pble_prm *pprm,
struct irdma_pble_chunkinfo *chunkinfo);
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index ea1df5918c11..5bbe44e54f9a 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -2314,7 +2314,7 @@ enum irdma_status_code irdma_prm_add_pble_mem(struct irdma_pble_prm *pprm,
*/
enum irdma_status_code
irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
- struct irdma_pble_chunkinfo *chunkinfo, u32 mem_size,
+ struct irdma_pble_chunkinfo *chunkinfo, u64 mem_size,
u64 **vaddr, u64 *fpm_addr)
{
u64 bits_needed;
@@ -2326,7 +2326,7 @@ irdma_prm_get_pbles(struct irdma_pble_prm *pprm,
*vaddr = NULL;
*fpm_addr = 0;
- bits_needed = (mem_size + (1 << pprm->pble_shift) - 1) >> pprm->pble_shift;
+ bits_needed = DIV_ROUND_UP_ULL(mem_size, BIT_ULL(pprm->pble_shift));
spin_lock_irqsave(&pprm->prm_lock, flags);
while (chunk_entry != &pprm->clist) {
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 rdma-next 0/2] irdma coverity fixes
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
@ 2021-06-25 17:35 ` Jason Gunthorpe
2 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2021-06-25 17:35 UTC (permalink / raw
To: Tatyana Nikolova; +Cc: dledford, linux-rdma, shiraz.saleem, mustafa.ismail
On Fri, Jun 25, 2021 at 11:23:27AM -0500, Tatyana Nikolova wrote:
> This is a short series of coverity fixes for irdma.
>
> Shiraz Saleem (2):
> RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
> RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles
Applied to for-next, thanks
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-25 17:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-25 16:23 [PATCH v2 rdma-next 0/2] irdma coverity fixes Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 1/2] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-25 16:23 ` [PATCH v2 rdma-next 2/2] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-25 17:35 ` [PATCH v2 rdma-next 0/2] irdma coverity fixes Jason Gunthorpe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.