On Tue, Nov 15, 2022 at 06:07:47PM +0100, Bernard Metzler wrote:
> A malicious user may write undefined values into memory mapped completion
> queue elements status or opcode. Undefined status or opcode values will
> result in out-of-bounds access to an array mapping siw internal
> representation of opcode and status to RDMA core representation when
> reaping CQ elements. While siw detects those undefined values,
> it did not correctly set completion status to a defined value, thus
> defeating the whole purpose of the check.
>
> This bug leads to the following Smatch static checker warning:
>
> drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
> error: buffer overflow 'map_cqe_status' 10 <= 21
>
> Fixes: bdf1da5df9da: ("RDMA/siw: Fix immediate work request flush to completion queue")
> Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> Signed-off-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
> ---
> drivers/infiniband/sw/siw/siw_cq.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Applied to for-next, thanks
Jason
