On Wed, Mar 05, 2025 at 10:57:49PM +0300, Dan Carpenter wrote:
> Hello Konstantin Taranov,
>
> Commit 44b607ad4cdf ("RDMA/mana_ib: implement uapi for creation of
> rnic cq") from Apr 26, 2024 (linux-next), leads to the following
> Smatch static checker warning:
>
> drivers/infiniband/hw/mana/cq.c:48 mana_ib_create_cq()
> warn: potential user controlled sizeof overflow 'cq->cqe * 64' 's32min-s32max * 64'
>
> drivers/infiniband/hw/mana/cq.c
> 8 int mana_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
> 9 struct uverbs_attr_bundle *attrs)
> 10 {
> 11 struct ib_udata *udata = &attrs->driver_udata;
> 12 struct mana_ib_cq *cq = container_of(ibcq, struct mana_ib_cq, ibcq);
> 13 struct mana_ib_create_cq_resp resp = {};
> 14 struct mana_ib_ucontext *mana_ucontext;
> 15 struct ib_device *ibdev = ibcq->device;
> 16 struct mana_ib_create_cq ucmd = {};
> 17 struct mana_ib_dev *mdev;
> 18 struct gdma_context *gc;
> 19 bool is_rnic_cq;
> 20 u32 doorbell;
> 21 u32 buf_size;
> 22 int err;
> 23
> 24 mdev = container_of(ibdev, struct mana_ib_dev, ib_dev);
> 25 gc = mdev_to_gc(mdev);
> 26
> 27 cq->comp_vector = attr->comp_vector % ibdev->num_comp_vectors;
> 28 cq->cq_handle = INVALID_MANA_HANDLE;
> 29
> 30 if (udata) {
> 31 if (udata->inlen < offsetof(struct mana_ib_create_cq, flags))
> 32 return -EINVAL;
> 33
> 34 err = ib_copy_from_udata(&ucmd, udata, min(sizeof(ucmd), udata->inlen));
> ^^^^
> ucmd.flags is set by the user here.
>
> 35 if (err) {
> 36 ibdev_dbg(ibdev, "Failed to copy from udata for create cq, %d\n", err);
> 37 return err;
> 38 }
> 39
> 40 is_rnic_cq = !!(ucmd.flags & MANA_IB_CREATE_RNIC_CQ);
> 41
> 42 if (!is_rnic_cq && attr->cqe > mdev->adapter_caps.max_qp_wr) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> attr->cqe used to be bounds checked every time, but now the user can
> skip setting the flag for bounds checking.
>
> 43 ibdev_dbg(ibdev, "CQE %d exceeding limit\n", attr->cqe);
> 44 return -EINVAL;
> 45 }
> 46
> 47 cq->cqe = attr->cqe;
> --> 48 err = mana_ib_create_queue(mdev, ucmd.buf_addr, cq->cqe * COMP_ENTRY_SIZE,
> ^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This can lead to integer wrapping.
>
> The call tree is:
>
> ib_uverbs_create_cq() <- copies cmd.cqe from the user
> -> create_cq() calls (struct ib_device_ops)->create_cq()
> -> mana_ib_create_cq()
>
> I'm not sure if this integer overflow has any negative effects. I think
> it's probably fine?
It is not nice and worth to be fixed, but technically it looks like size
(cq->cqe * COMP_ENTRY_SIZE) is used to get UMEM memory, so we will allocate
less than driver would like to.
Thanks
