From: Bjorn Helgaas <helgaas@kernel.org>
To: Yajun Deng <yajun.deng@linux.dev>
Cc: kurt.schwemmer@microsemi.com, logang@deltatee.com,
jdmason@kudzu.us, dave.jiang@intel.com, allenbh@gmail.com,
linux-pci@vger.kernel.org, ntb@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
Date: Thu, 17 Aug 2023 12:25:16 -0500 [thread overview]
Message-ID: <20230817172516.GA321366@bhelgaas> (raw)
In-Reply-To: <20230816083305.1426718-1-yajun.deng@linux.dev>
On Wed, Aug 16, 2023 at 04:33:05PM +0800, Yajun Deng wrote:
> There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
> size. This would make xlate_pos negative.
>
> [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
> [ 23.734158] ================================================================================
> [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
> [ 23.734418] shift exponent -1 is negative
>
> Ensuring xlate_pos is a positive or zero before BIT.
I assume Kurt or Logan will apply this and no need to repost for this,
but if you do repost for some reason, the timestamps and separator
lines above are clutter and don't contribute to understanding the
problem.
Also s/Ensuring/Ensure/
> Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()")
> Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
> ---
> drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
> index d6bbcc7b5b90..21468d4fef64 100644
> --- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
> +++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
> @@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx,
> if (size != 0 && xlate_pos < 12)
> return -EINVAL;
>
> - if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
> + if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
> /*
> * In certain circumstances we can get a buffer that is
> * not aligned to its size. (Most of the time
> --
> 2.25.1
>
prev parent reply other threads:[~2023-08-17 17:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-16 8:33 [PATCH] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Yajun Deng
2023-08-16 20:41 ` Logan Gunthorpe
2023-08-17 17:25 ` Bjorn Helgaas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230817172516.GA321366@bhelgaas \
--to=helgaas@kernel.org \
--cc=allenbh@gmail.com \
--cc=dave.jiang@intel.com \
--cc=jdmason@kudzu.us \
--cc=kurt.schwemmer@microsemi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=logang@deltatee.com \
--cc=ntb@lists.linux.dev \
--cc=yajun.deng@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).