shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
6f8b6627f367d040877afd44635b867109c142e9
linux/drivers
History
Leon Romanovsky 6f8b6627f3 RDMA/mlx5: Fix integer overflow while resizing CQ 
commit 28e9091e31 upstream.

The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:

=======================================================================
UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
signed integer overflow:
64870 * 65536 cannot be represented in type 'int'
CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
 dump_stack+0xde/0x164
 ? dma_virt_map_sg+0x22c/0x22c
 ubsan_epilogue+0xe/0x81
 handle_overflow+0x1f3/0x251
 ? __ubsan_handle_negate_overflow+0x19b/0x19b
 ? lock_acquire+0x440/0x440
 mlx5_ib_resize_cq+0x17e7/0x1e40
 ? cyc2ns_read_end+0x10/0x10
 ? native_read_msr_safe+0x6c/0x9b
 ? cyc2ns_read_end+0x10/0x10
 ? mlx5_ib_modify_cq+0x220/0x220
 ? sched_clock_cpu+0x18/0x200
 ? lookup_get_idr_uobject+0x200/0x200
 ? rdma_lookup_get_uobject+0x145/0x2f0
 ib_uverbs_resize_cq+0x207/0x3e0
 ? ib_uverbs_ex_create_cq+0x250/0x250
 ib_uverbs_write+0x7f9/0xef0
 ? cyc2ns_read_end+0x10/0x10
 ? print_irqtrace_events+0x280/0x280
 ? ib_uverbs_ex_create_cq+0x250/0x250
 ? uverbs_devnode+0x110/0x110
 ? sched_clock_cpu+0x18/0x200
 ? do_raw_spin_trylock+0x100/0x100
 ? __lru_cache_add+0x16e/0x290
 __vfs_write+0x10d/0x700
 ? uverbs_devnode+0x110/0x110
 ? kernel_read+0x170/0x170
 ? sched_clock_cpu+0x18/0x200
 ? security_file_permission+0x93/0x260
 vfs_write+0x1b0/0x550
 SyS_write+0xc7/0x1a0
 ? SyS_read+0x1a0/0x1a0
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL_64_fastpath+0x1e/0x8b
RIP: 0033:0x433549
RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
=======================================================================

Cc: syzkaller <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # 3.13
Fixes: bde51583f4 ("IB/mlx5: Add support for resize CQ")
Reported-by: Noa Osherovich <noaos@mellanox.com>
Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-03-18 11:17:48 +01:00
..
accessibility
acpi
ACPI: sbshc: remove raw pointer from printk() message
2018-02-16 20:09:47 +01:00
amba
android
binder: add missing binder_unlock()
2018-02-28 10:17:23 +01:00
ata
ahci: Add Intel Cannon Lake PCH-H PCI ID
2018-02-16 20:09:42 +01:00
atm
atm: horizon: Fix irq release error
2017-12-16 10:33:55 +01:00
auxdisplay
base
drivers: base: cacheinfo: fix boot error message when acpi is enabled
2018-01-31 12:06:08 +01:00
bcma
bcma: use (get|put)_device when probing/removing device driver
2017-03-12 06:37:30 +01:00
block
pktcdvd: Fix pkt_setup_dev() error path
2018-02-16 20:09:47 +01:00
bluetooth
Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version
2018-02-16 20:09:46 +01:00
bus
sunxi-rsb: Include OF based modalias in device uevent
2018-01-10 09:27:09 +01:00
cdrom
char
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
2018-03-11 16:19:44 +01:00
clk
clk: tegra: Fix cclk_lp divisor register
2017-12-20 10:04:59 +01:00
clocksource
clockevents/drivers/cs5535: Improve resilience to spurious interrupts
2017-10-27 10:23:17 +02:00
connector
cpufreq
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
2018-03-11 16:19:44 +01:00
cpuidle
cpuidle: fix broadcast control when broadcast can not be entered
2017-12-25 14:22:15 +01:00
crypto
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
2018-02-25 11:03:55 +01:00
dca
devfreq
PM / devfreq: Propagate error from devfreq_add_device()
2018-02-22 15:44:58 +01:00
dio
dma
dmaengine: zx: fix build warning
2018-02-25 11:03:50 +01:00
dma-buf
edac
EDAC, octeon: Fix an uninitialized variable warning
2018-02-16 20:09:47 +01:00
eisa
extcon
extcon: palmas: Check the parent instance to prevent the NULL
2017-11-21 09:21:18 +01:00
firewire
firewire: net: fix fragmented datagram_size off-by-one
2016-11-10 16:36:35 +01:00
firmware
efi/esrt: Cleanup bad memory map log messages
2017-12-20 10:04:56 +01:00
fmc
fpga
gpio
gpio: xgene: mark PM functions as __maybe_unused
2018-02-25 11:03:50 +01:00
gpu
drm/ttm: check the return value of kzalloc
2018-03-03 10:19:44 +01:00
hid
usb: ldusb: add PIDs for new CASSY devices supported by this driver
2018-02-28 10:17:23 +01:00
hsi
hv
Drivers: hv: vmbus: fix build warning
2018-02-25 11:03:46 +01:00
hwmon
hwmon: (pmbus) Use 64bit math for DIRECT format values
2018-02-03 17:04:28 +01:00
hwspinlock
drivers/hwspinlock: fix race between radix tree insertion and lookup
2016-02-25 12:01:23 -08:00
hwtracing
intel_th: pci: Add Gemini Lake support
2017-12-20 10:04:54 +01:00
i2c
i2c: remove __init from i2c_register_board_info()
2018-02-25 11:03:48 +01:00
ide
idle
idle: i7300: add PCI dependency
2018-02-25 11:03:51 +01:00
iio
iio: adis_lib: Initialize trigger before requesting interrupt
2018-02-28 10:17:22 +01:00
infiniband
RDMA/mlx5: Fix integer overflow while resizing CQ
2018-03-18 11:17:48 +01:00
input
Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
2018-02-25 11:03:49 +01:00
iommu
iommu/arm-smmu-v3: Don't free page table ops twice
2018-01-17 09:35:25 +01:00
ipack
irqchip
irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
2018-02-28 10:17:22 +01:00
isdn
isdn: sc: work around type mismatch warning
2018-02-25 11:03:51 +01:00
leds
Revert "led: core: Fix brightness setting when setting delay_off=0"
2018-03-11 16:19:45 +01:00
lguest
lightnvm
lightnvm: put bio before return
2016-09-24 10:07:35 +02:00
macintosh
mailbox
mailbox: handle empty message in tx_tick
2017-08-06 19:19:41 -07:00
mcb
mcb: Fixed bar number assignment for the gdd
2016-06-01 12:15:53 -07:00
md
dm io: fix duplicate bio completion due to missing ref count
2018-03-11 16:19:47 +01:00
media
media: m88ds3103: don't call a non-initalized function
2018-03-11 16:19:44 +01:00
memory
ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
2017-12-16 10:33:51 +01:00
memstick
memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
2016-10-28 03:01:35 -04:00
message
mptfusion: hide unused seq_mpt_print_ioc_summary function
2018-02-25 11:03:45 +01:00
mfd
mfd: twl6040: Fix child-node lookup
2018-01-02 20:33:20 +01:00
misc
cxl: Check if vphb exists before iterating over AFU devices
2017-12-25 14:22:08 +01:00
mmc
mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version
2018-01-31 12:06:09 +01:00
mtd
mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
2018-03-03 10:19:41 +01:00
net
ppp: prevent unregistered channels from connecting to PPP units
2018-03-11 16:19:46 +01:00
nfc
nfc: fdp: fix NULL pointer dereference
2017-08-06 19:19:40 -07:00
ntb
ntb_transport: fix bug calculating num_qps_mw
2017-08-30 10:19:29 +02:00
nubus
nvdimm
libnvdimm, namespace: make 'resource' attribute only readable by root
2017-11-30 08:37:23 +00:00
nvme
nvme: Fix managing degraded controllers
2018-02-16 20:09:47 +01:00
nvmem
nvmem: imx-ocotp: Fix wrong register size
2017-08-06 19:19:46 -07:00
of
of: device: Export of_device_{get_modalias, uvent_modalias} to modules
2017-07-27 15:06:09 -07:00
oprofile
parisc
parisc: Hide Diva-built-in serial aux and graphics card
2018-01-02 20:33:20 +01:00
parport
parisc, parport_gsc: Fixes for printk continuation lines
2017-06-17 06:39:37 +02:00
pci
PCI: keystone: Fix interrupt-controller-node lookup
2018-02-28 10:17:21 +01:00
pcmcia
pcmcia: db1xxx_ss: fix last irq_to_gpio user
2016-04-20 15:42:09 +09:00
perf
drivers/perf: arm_pmu: Fix leak in error path
2016-10-07 15:23:41 +02:00
phy
phy: work around 'phys' references to usb-nop-xceiv devices
2018-01-23 19:50:16 +01:00
pinctrl
pinctrl: sunxi: Fix A80 interrupt pin bank
2018-02-25 11:03:39 +01:00
platform
dell-wmi, dell-laptop: depends DMI
2018-02-25 11:03:51 +01:00
pnp
PNP: Add Broadwell to Intel MCH size workaround
2016-08-16 09:30:48 +02:00
power
power: bq27xxx_battery: mark some symbols __maybe_unused
2018-02-25 11:03:50 +01:00
powercap
pps
pps: do not crash when failed to register
2016-08-10 11:49:25 +02:00
ps3
ptp
pwm
pwm: pca9685: Fix period change with same duty cycle
2017-03-15 09:57:14 +08:00
rapidio
ras
regulator
regulator: fan53555: fix I2C device ids
2017-11-02 09:40:50 +01:00
remoteproc
remoteproc: Fix potential race condition in rproc_add
2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc
rtc-opal: Fix handling of firmware error codes, prevent busy loops
2018-02-22 15:44:59 +01:00
s390
s390/qeth: fix IPA command submission race
2018-03-11 16:19:47 +01:00
sbus
scsi
scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
2018-03-03 10:19:42 +01:00
sfi
sh
drivers: sh: Restore legacy clock domain on SuperH platforms
2016-03-09 15:34:49 -08:00
sn
soc
soc: qcom/spm: shut up uninitialized variable warning
2016-09-24 10:07:42 +02:00
spi
spi: atmel: fixed spin_lock usage inside atmel_spi_remove
2018-03-03 10:19:42 +01:00
spmi
spmi: Include OF based modalias in device uevent
2017-07-27 15:06:10 -07:00
ssb
ssb: mark ssb_bus_register as __maybe_unused
2018-02-25 11:03:44 +01:00
staging
staging: unisys: visorinput depends on INPUT
2018-02-25 11:03:48 +01:00
target
target/user: Fix cast from pointer to phys_addr_t
2018-02-25 11:03:46 +01:00
tc
thermal
thermal: spear: use __maybe_unused for PM functions
2018-02-25 11:03:44 +01:00
thunderbolt
thunderbolt: Fix double free of drom buffer
2016-06-01 12:15:53 -07:00
tty
serial: 8250_mid: fix broken DMA dependency
2018-02-25 11:03:49 +01:00
uio
uio: fix dmem_region_start computation
2016-10-31 04:13:59 -06:00
usb
usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
2018-02-28 10:17:23 +01:00
uwb
uwb: ensure that endpoint is interrupt
2017-10-12 11:27:35 +02:00
vfio
vfio-pci: Handle error from pci_iomap
2017-08-06 19:19:46 -07:00
vhost
vhost_net: stop device during reset owner
2018-02-16 20:09:38 +01:00
video
fbdev: sm712fb: avoid unused function warnings
2018-02-25 11:03:47 +01:00
virt
virtio
virtio_balloon: prevent uninitialized variable use
2018-02-25 11:03:42 +01:00
vlynq
vme
vme: Fix wrong pointer utilization in ca91cx42_slave_get
2017-01-19 20:17:21 +01:00
w1
w1: ds2490: USB transfer buffers need to be DMAable
2017-03-12 06:37:29 +01:00
watchdog
watchdog: imx2_wdt: restore previous timeout after suspend+resume
2018-02-16 20:09:45 +01:00
xen
xen/gntdev: Fix partial gntdev_mmap() cleanup
2018-03-03 10:19:45 +01:00
zorro
Kconfig
Makefile
usb: build drivers/usb/common/ when USB_SUPPORT is set
2018-02-25 11:03:38 +01:00