linux-sg2042/include/rdma
Dan Carpenter a9018adfde RDMA/uverbs: Prevent potential underflow
The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function.  We check that:

        if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {

But we don't check if "attr.comp_vector" is negative.  It could
potentially lead to an array underflow.  My concern would be where
cq->vector is used in the create_cq() function from the cxgb4 driver.

And really "attr.comp_vector" is appears as a u32 to user space so that's
the right type to use.

Fixes: 9ee79fce36 ("IB/core: Add completion queue (cq) object actions")
Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2019-10-22 15:05:36 -03:00
..
ib.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
ib_addr.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
ib_cache.h RDMA/cma: Use rdma_read_gid_attr_ndev_rcu to access netdev 2019-05-03 11:10:03 -03:00
ib_cm.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
ib_fmr_pool.h IB/core: Make function ib_fmr_pool_unmap return void 2018-11-21 16:13:02 -07:00
ib_hdrs.h IB/hfi1: Build TID RDMA WRITE request 2019-02-05 18:07:43 -05:00
ib_mad.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
ib_marshall.h IB/core: Convert ah_attr from OPA to IB when copying to user 2017-08-08 14:47:18 -04:00
ib_pack.h IB/core: Fix calculation of maximum RoCE MTU 2017-10-18 12:11:36 -04:00
ib_pma.h IB/core: Display extended counter set if available 2015-12-23 15:58:30 -05:00
ib_sa.h RDMA/core: Annotate timeout as unsigned long 2018-10-16 13:34:01 -04:00
ib_smi.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
ib_umem.h RDMA/odp: remove ib_ucontext from ib_umem 2019-08-21 20:58:19 -03:00
ib_umem_odp.h RDMA/odp: use mmu_notifier_get/put for 'struct ib_ucontext_per_mm' 2019-08-21 20:58:18 -03:00
ib_verbs.h RDMA/uverbs: Prevent potential underflow 2019-10-22 15:05:36 -03:00
iw_cm.h RDMA: Get rid of iw_cm_verbs 2019-05-03 10:56:56 -03:00
iw_portmap.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
mr_pool.h Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
opa_addr.h include/rdma/opa_addr.h: Fix an endianness issue 2018-07-03 14:11:34 -06:00
opa_port_info.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
opa_smi.h RDMA: Use __packed annotation instead of __attribute__ ((packed)) 2019-03-25 21:14:12 -03:00
opa_vnic.h IB/hfi1: Add support to receive 16B bypass packets 2017-08-22 14:22:37 -04:00
rdma_cm.h IB/cma: Define option to set ack timeout and pack tos_set 2019-02-08 16:14:21 -07:00
rdma_cm_ib.h RDMA/{cma, ucma}: Simplify and rename rdma_set_ib_paths 2018-01-10 22:00:33 -07:00
rdma_counter.h RDMA/core: Make rdma_counter.h compile stand alone 2019-07-09 09:44:47 -03:00
rdma_netlink.h RDMA/core: Support netlink commands in non init_net net namespaces 2019-07-25 14:12:41 -03:00
rdma_vt.h IB/{rdmavt, hfi1, qib}: Add a counter for credit waits 2019-09-13 16:59:55 -03:00
rdmavt_cq.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
rdmavt_mr.h IB/rdmavt: Handle dereg of inuse MRs properly 2017-08-28 19:12:31 -04:00
rdmavt_qp.h IB/{rdmavt, hfi1, qib}: Add a counter for credit waits 2019-09-13 16:59:55 -03:00
restrack.h RDMA/restrack: Rewrite PID namespace check to be reliable 2019-08-20 13:44:44 -04:00
rw.h Linux 5.2-rc6 2019-06-28 21:18:23 -03:00
signature.h RDMA: Make most headers compile stand alone 2019-07-25 13:58:47 -03:00
tid_rdma_defs.h IB/hfi1: Build TID RDMA WRITE request 2019-02-05 18:07:43 -05:00
uverbs_ioctl.h IB/verbs: Add helper function rdma_udata_to_drv_context 2019-02-15 11:17:25 -07:00
uverbs_named_ioctl.h RDMA/uverbs: Fix typo in string concatenation macro 2018-12-06 21:11:06 -07:00
uverbs_std_types.h IB: When attrs.udata/ufile is available use that instead of uobject 2019-04-08 13:05:25 -03:00
uverbs_types.h IB: Pass uverbs_attr_bundle down uobject destroy path 2019-04-01 14:55:36 -03:00