Patch "RDMA/core: Prevent divide-by-zero error triggered by the user" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 May 2021 16:06:30 -0400

This is a note to let you know that I've just added the patch titled

    RDMA/core: Prevent divide-by-zero error triggered by the user

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-core-prevent-divide-by-zero-error-triggered-by-.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4ce4c09cf51c00b4d73330d42d03f45f8e230c2d
Author: Leon Romanovsky <leonro@xxxxxxxxxx>
Date:   Mon May 10 17:46:00 2021 +0300

    RDMA/core: Prevent divide-by-zero error triggered by the user
    
    [ Upstream commit 54d87913f147a983589923c7f651f97de9af5be1 ]
    
    The user_entry_size is supplied by the user and later used as a
    denominator to calculate number of entries. The zero supplied by the user
    will trigger the following divide-by-zero error:
    
     divide error: 0000 [#1] SMP KASAN PTI
     CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
     RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510
     Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b
     RSP: 0018:ffff88810416f828 EFLAGS: 00010246
     RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d
     RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000
     RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f
     R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000
     R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0
     FS:  00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0
      ib_uverbs_cmd_verbs+0x1546/0x1940
      ib_uverbs_ioctl+0x186/0x240
      __x64_sys_ioctl+0x38a/0x1220
      do_syscall_64+0x3f/0x80
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fixes: 9f85cbe50aa0 ("RDMA/uverbs: Expose the new GID query API to user space")
    Link: https://lore.kernel.org/r/b971cc70a8b240a8b5eda33c99fa0558a0071be2.1620657876.git.leonro@xxxxxxxxxx
    Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c
index 9ec6971056fa..a03021d94e11 100644
--- a/drivers/infiniband/core/uverbs_std_types_device.c
+++ b/drivers/infiniband/core/uverbs_std_types_device.c
@@ -331,6 +331,9 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QUERY_GID_TABLE)(
 	if (ret)
 		return ret;
 
+	if (!user_entry_size)
+		return -EINVAL;
+
 	max_entries = uverbs_attr_ptr_get_array_size(
 		attrs, UVERBS_ATTR_QUERY_GID_TABLE_RESP_ENTRIES,
 		user_entry_size);






