linux_dsm_epyc7002/include/rdma
Dan Carpenter a9018adfde RDMA/uverbs: Prevent potential underflow
The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function.  We check that:

        if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {

But we don't check if "attr.comp_vector" is negative.  It could
potentially lead to an array underflow.  My concern would be where
cq->vector is used in the create_cq() function from the cxgb4 driver.

And really "attr.comp_vector" is appears as a u32 to user space so that's
the right type to use.

Fixes: 9ee79fce36 ("IB/core: Add completion queue (cq) object actions")
Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-10-22 15:05:36 -03:00
..
ib_addr.h
ib_cache.h
ib_cm.h
ib_fmr_pool.h
ib_hdrs.h
ib_mad.h
ib_marshall.h
ib_pack.h
ib_pma.h
ib_sa.h
ib_smi.h
ib_umem_odp.h
ib_umem.h
ib_verbs.h
ib.h
iw_cm.h
iw_portmap.h
mr_pool.h
opa_addr.h
opa_port_info.h
opa_smi.h
opa_vnic.h
rdma_cm_ib.h
rdma_cm.h
rdma_counter.h
rdma_netlink.h
rdma_vt.h
rdmavt_cq.h
rdmavt_mr.h
rdmavt_qp.h
restrack.h
rw.h
signature.h
tid_rdma_defs.h
uverbs_ioctl.h
uverbs_named_ioctl.h
uverbs_std_types.h
uverbs_types.h