[PATCH rdma-next 2/2] RDMA/mlx5: Fix integer overflow of user QP buffer size

[Edward Srouji]

From: Maher Sanalla <msanalla@xxxxxxxxxx>

set_user_buf_size() calculates the QP buffer size by left‑shifting the
user‑provided rq.wqe_cnt and rq.wqe_shift as signed integers. A large
rq.wqe_cnt can trigger a signed integer overflow, which is undefined
behavior and may yield a small or even negative buf_size. This can lead
ib_umem_get() to map a buffer smaller than what the hardware will write.

Replace the existing shifts and additions with check_shl_overflow() and
check_add_overflow(), and reject invalid user inputs.

Apply the same checks to the calculation used for qp->sq.offset in
_create_user_qp(). Even though set_user_buf_size() validates this again,
the guard protects us against future changes in the internal
implementation.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Maher Sanalla <msanalla@xxxxxxxxxx>
Signed-off-by: Edward Srouji <edwards@xxxxxxxxxx>
---
 drivers/infiniband/hw/mlx5/qp.c | 43 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 7674290d0afaf466a6b98cbed86d247ee550bd8d..6ecdbda2b471f6c102bceba5d02eb12af8d8e1b1 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -640,6 +640,8 @@ static int set_user_buf_size(struct mlx5_ib_dev *dev,
 			    struct ib_qp_init_attr *attr)
 {
 	int desc_sz = 1 << qp->sq.wqe_shift;
+	int rq_buf_size;
+	int sq_buf_size;
 
 	if (desc_sz > MLX5_CAP_GEN(dev->mdev, max_wqe_sz_sq)) {
 		mlx5_ib_warn(dev, "desc_sz %d, max_sq_desc_sz %d\n",
@@ -664,11 +666,36 @@ static int set_user_buf_size(struct mlx5_ib_dev *dev,
 
 	if (attr->qp_type == IB_QPT_RAW_PACKET ||
 	    qp->flags & IB_QP_CREATE_SOURCE_QPN) {
-		base->ubuffer.buf_size = qp->rq.wqe_cnt << qp->rq.wqe_shift;
-		qp->raw_packet_qp.sq.ubuffer.buf_size = qp->sq.wqe_cnt << 6;
+		if (check_shl_overflow(qp->rq.wqe_cnt, qp->rq.wqe_shift,
+				       &base->ubuffer.buf_size)) {
+			mlx5_ib_warn(dev, "rq buf size overflow: wqe_cnt %d wqe_shift %d\n",
+				     qp->rq.wqe_cnt, qp->rq.wqe_shift);
+			return -EINVAL;
+		}
+		if (check_shl_overflow(qp->sq.wqe_cnt, 6,
+				       &qp->raw_packet_qp.sq.ubuffer.buf_size)) {
+			mlx5_ib_warn(dev, "sq buf size overflow: wqe_cnt %d\n",
+				     qp->sq.wqe_cnt);
+			return -EINVAL;
+		}
 	} else {
-		base->ubuffer.buf_size = (qp->rq.wqe_cnt << qp->rq.wqe_shift) +
-					 (qp->sq.wqe_cnt << 6);
+		if (check_shl_overflow(qp->rq.wqe_cnt, qp->rq.wqe_shift,
+				       &rq_buf_size)) {
+			mlx5_ib_warn(dev, "rq buf size overflow: wqe_cnt %d wqe_shift %d\n",
+				     qp->rq.wqe_cnt, qp->rq.wqe_shift);
+			return -EINVAL;
+		}
+		if (check_shl_overflow(qp->sq.wqe_cnt, 6, &sq_buf_size)) {
+			mlx5_ib_warn(dev, "sq buf size overflow: wqe_cnt %d\n",
+				     qp->sq.wqe_cnt);
+			return -EINVAL;
+		}
+		if (check_add_overflow(rq_buf_size, sq_buf_size,
+				       &base->ubuffer.buf_size)) {
+			mlx5_ib_warn(dev, "qp buf size overflow: rq %d sq %d\n",
+				     rq_buf_size, sq_buf_size);
+			return -EINVAL;
+		}
 	}
 
 	return 0;
@@ -997,7 +1024,13 @@ static int _create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd,
 
 	qp->rq.offset = 0;
 	qp->sq.wqe_shift = ilog2(MLX5_SEND_WQE_BB);
-	qp->sq.offset = qp->rq.wqe_cnt << qp->rq.wqe_shift;
+	if (check_shl_overflow(qp->rq.wqe_cnt, qp->rq.wqe_shift,
+			       &qp->sq.offset)) {
+		mlx5_ib_warn(dev, "sq offset overflow: wqe_cnt %d wqe_shift %d\n",
+			     qp->rq.wqe_cnt, qp->rq.wqe_shift);
+		err = -EINVAL;
+		goto err_bfreg;
+	}
 
 	err = set_user_buf_size(dev, qp, ucmd, base, attr);
 	if (err)

-- 
2.49.0