Hi,
While investigating the one report of the static analyzer (svacer), it
was discovered that attr.max_sge was not checked for the maximum value
in the mlx5_ib_create_srq function. However, this check is present in
https://github.com/linux-rdma/rdma-core. Also, checks are present in
most other infiniband Linux Kernel drivers. This may lead to incorrect
driver operation for example
int mlx5_ib_read_wqe_srq(struct mlx5_ib_srq *srq, int wqe_index, void
*buffer, size_t buflen, size_t *bc)
{
struct ib_umem *umem = srq->umem;
size_t wqe_size = 1 << srq->msrq.wqe_shift; // integer overflow here
if (buflen < wqe_size)
return -EINVAL;
In my opinion, the only possible solution to this problem may be to add
a check to mlx5_ib_create_srq similar to
https://github.com/linux-rdma/rdma-core like
u32 max_sge = MLX5_CAP_GEN(dev->mdev, max_wqe_sz_rq) / sizeof(struct
mlx5_wqe_data_seg);
if (attr->attr.max_sge > max_sge) {
mlx5_ib_dbg(dev, "max_sge %d, cap %d\n", init_attr->attr.max_sge,
max_sge);
return -EINVAL;
}
I would appreciate your suggestions and comments.
Best regards,
Danila
