RE: [EXTERNAL] [PATCH next] RDMA/mana_ib: Use safer allocation function()
From: Long Li
Date: Thu Mar 06 2025 - 15:04:35 EST
> Subject: [EXTERNAL] [PATCH next] RDMA/mana_ib: Use safer allocation
> function()
>
> My static checker says this multiplication can overflow. I'm not an expert in this
> code but the call tree would be:
>
> ib_uverbs_handler_UVERBS_METHOD_QP_CREATE() <- reads cap from the user
> -> ib_create_qp_user()
> -> create_qp()
> -> mana_ib_create_qp()
> -> mana_ib_create_ud_qp()
> -> create_shadow_queue()
>
> It can't hurt to use safer interfaces.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: c8017f5b4856 ("RDMA/mana_ib: UD/GSI work requests")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Long Li <longli@xxxxxxxxxxxxx>
> ---
> There seems to be another integer overflow bug in mana_ib_queue_size() as
> well? It's basically the exact same issue. Maybe we could put a cap on
> attr->cap.max_send/recv_wr at a lower level. Maybe there already is
> attr->some
> bounds checking that I have missed...
>
> drivers/infiniband/hw/mana/shadow_queue.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/mana/shadow_queue.h
> b/drivers/infiniband/hw/mana/shadow_queue.h
> index d8bfb4c712d5..a4b3818f9c39 100644
> --- a/drivers/infiniband/hw/mana/shadow_queue.h
> +++ b/drivers/infiniband/hw/mana/shadow_queue.h
> @@ -40,7 +40,7 @@ struct shadow_queue {
>
> static inline int create_shadow_queue(struct shadow_queue *queue, uint32_t
> length, uint32_t stride) {
> - queue->buffer = kvmalloc(length * stride, GFP_KERNEL);
> + queue->buffer = kvmalloc_array(length, stride, GFP_KERNEL);
> if (!queue->buffer)
> return -ENOMEM;
>
> --
> 2.47.2