[PATCH] uverbs: prevent potential underflow

From: Dan Carpenter
Date: Sat Oct 05 2019 - 01:25:00 EST

Next message: Andrey Smirnov: "[PATCH] dma-mapping: fix false positivse warnings in dma_common_free_remap()"
Previous message: kbuild test robot: "Re: [PATCH 3/3] net: phy: fixed_phy: switch to using fwnode_gpiod_get_index"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that:

if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {

But we don't check that "attr.comp_vector" whether negative. It
could potentially lead to an array underflow. My concern would be where
cq->vector is used in the create_cq() function from the cxgb4 driver.

Fixes: 9ee79fce3642 ("IB/core: Add completion queue (cq) object actions")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/infiniband/core/uverbs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
index 1e5aeb39f774..63f7f7db5902 100644
--- a/drivers/infiniband/core/uverbs.h
+++ b/drivers/infiniband/core/uverbs.h
@@ -98,7 +98,7 @@ ib_uverbs_init_udata_buf_or_null(struct ib_udata *udata,

struct ib_uverbs_device {
atomic_t refcount;
- int num_comp_vectors;
+ u32 num_comp_vectors;
struct completion comp;
struct device dev;
/* First group for device attributes, NULL terminated array */
--
2.20.1

Next message: Andrey Smirnov: "[PATCH] dma-mapping: fix false positivse warnings in dma_common_free_remap()"
Previous message: kbuild test robot: "Re: [PATCH 3/3] net: phy: fixed_phy: switch to using fwnode_gpiod_get_index"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]