releases/4.16.8/rdma-mlx5-protect-from-shift-operand-overflow.patch

   1 From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
   2 From: Leon Romanovsky <leonro@mellanox.com>
   3 Date: Mon, 23 Apr 2018 17:01:53 +0300
   4 Subject: RDMA/mlx5: Protect from shift operand overflow
   5
   6 From: Leon Romanovsky <leonro@mellanox.com>
   7
   8 commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
   9
  10 Ensure that user didn't supply values too large that can cause overflow.
  11
  12 UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
  13 shift exponent -2147483648 is negative
  14 CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
  15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
  16 Trace:
  17 dump_stack+0xde/0x164
  18 ubsan_epilogue+0xe/0x81
  19 set_rq_size+0x7c2/0xa90
  20 create_qp_common+0xc18/0x43c0
  21 mlx5_ib_create_qp+0x379/0x1ca0
  22 create_qp.isra.5+0xc94/0x2260
  23 ib_uverbs_create_qp+0x21b/0x2a0
  24 ib_uverbs_write+0xc2c/0x1010
  25 vfs_write+0x1b0/0x550
  26 SyS_write+0xc7/0x1a0
  27 do_syscall_64+0x1aa/0x740
  28 entry_SYSCALL_64_after_hwframe+0x26/0x9b
  29 RIP: 0033:0x433569
  30 RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
  31 RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
  32 RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
  33 RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
  34 R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
  35 R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
  36
  37 Cc: <stable@vger.kernel.org> # 3.10
  38 Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
  39 Cc: syzkaller <syzkaller@googlegroups.com>
  40 Reported-by: Noa Osherovich <noaos@mellanox.com>
  41 Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
  42 Signed-off-by: Doug Ledford <dledford@redhat.com>
  43 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  44
  45 ---
  46  drivers/infiniband/hw/mlx5/qp.c |    4 ++++
  47  1 file changed, 4 insertions(+)
  48
  49 --- a/drivers/infiniband/hw/mlx5/qp.c
  50 +++ b/drivers/infiniband/hw/mlx5/qp.c
  51 @@ -256,7 +256,11 @@ static int set_rq_size(struct mlx5_ib_de
  52         } else {
  53                 if (ucmd) {
  54                         qp->rq.wqe_cnt = ucmd->rq_wqe_count;
  55 +                       if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
  56 +                               return -EINVAL;
  57                         qp->rq.wqe_shift = ucmd->rq_wqe_shift;
  58 +                       if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
  59 +                               return -EINVAL;
  60                         qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
  61                         qp->rq.max_post = qp->rq.wqe_cnt;
  62                 } else {