> Subject: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR > > Hello! > > This is an experimental semi-automated report about issues detected by Coverity > from a scan of next-20210608 as part of the linux-next scan project: > https://scan.coverity.com/projects/linux-next-weekly-scan > > You're getting this email because you were associated with the identified lines of > code (noted below) that were touched by commits: > > Wed Jun 2 19:55:18 2021 -0300 > b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") > > (Editor's note: I believe the issues below are basically summarized as "the contents > of req came from userspace and did not get validated before being used for > things like array indexing, etc") > > Coverity reported the following: > > *** CID 1505160: (TAINTED_SCALAR) > /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr() > 2806 list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list); > 2807 iwpbl->on_list = true; > 2808 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, > flags); > 2809 break; > 2810 case IRDMA_MEMREG_TYPE_CQ: > 2811 use_pbles = (req.cq_pages > 1); > vvv CID 1505160: (TAINTED_SCALAR) > vvv Passing tainted variable "req.rq_pages" to a tainted sink. > 2812 err = irdma_handle_q_mem(iwdev, &req, iwpbl, > use_pbles); > 2813 if (err) > 2814 goto error; > 2815 > 2816 ucontext = rdma_udata_to_drv_context(udata, struct > irdma_ucontext, > 2817 ibucontext); > /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr() > 2793 iwmr->type = req.reg_type; > 2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr- > >page_size); > 2795 > 2796 switch (req.reg_type) { > 2797 case IRDMA_MEMREG_TYPE_QP: > 2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2); > vvv CID 1505160: (TAINTED_SCALAR) > vvv Passing tainted variable "req.cq_pages" to a tainted sink. > 2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, > use_pbles); > 2800 if (err) > 2801 goto error; > 2802 > 2803 ucontext = rdma_udata_to_drv_context(udata, struct > irdma_ucontext, > 2804 ibucontext); > /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr() > 2793 iwmr->type = req.reg_type; > 2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr- > >page_size); > 2795 > 2796 switch (req.reg_type) { > 2797 case IRDMA_MEMREG_TYPE_QP: > 2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2); > vvv CID 1505160: (TAINTED_SCALAR) > vvv Passing tainted variable "req.sq_pages" to a tainted sink. > 2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, > use_pbles); > 2800 if (err) > 2801 goto error; > 2802 > 2803 ucontext = rdma_udata_to_drv_context(udata, struct > irdma_ucontext, > 2804 ibucontext); > /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr() > 2793 iwmr->type = req.reg_type; > 2794 iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr- > >page_size); > 2795 > 2796 switch (req.reg_type) { > 2797 case IRDMA_MEMREG_TYPE_QP: > 2798 use_pbles = ((req.sq_pages + req.rq_pages) > 2); > vvv CID 1505160: (TAINTED_SCALAR) > vvv Passing tainted variable "req.rq_pages" to a tainted sink. > 2799 err = irdma_handle_q_mem(iwdev, &req, iwpbl, > use_pbles); > 2800 if (err) > 2801 goto error; > 2802 > 2803 ucontext = rdma_udata_to_drv_context(udata, struct > irdma_ucontext, > 2804 ibucontext); > /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr() > 2806 list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list); > 2807 iwpbl->on_list = true; > 2808 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, > flags); > 2809 break; > 2810 case IRDMA_MEMREG_TYPE_CQ: > 2811 use_pbles = (req.cq_pages > 1); > vvv CID 1505160: (TAINTED_SCALAR) > vvv Passing tainted variable "req.sq_pages" to a tainted sink. > 2812 err = irdma_handle_q_mem(iwdev, &req, iwpbl, > use_pbles); > 2813 if (err) > 2814 goto error; > 2815 > 2816 ucontext = rdma_udata_to_drv_context(udata, struct > irdma_ucontext, > 2817 ibucontext); > > If this is a false positive, please let us know so we can mark it as such, or teach > the Coverity rules to be smarter. If not, please make sure fixes get into linux-next. > :) For patches fixing this, please include these lines (but double-check the "Fixes" > first): > > Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx> > Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR") > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") > > Thanks for your attention! > This appears to be a bug. We will send a fix. Shiraz
