On Thu, Dec 12, 2024 at 02:48:46PM +0800, guocai.he.cn@xxxxxxxxxxxxx wrote:
> From: Michal Schmidt <mschmidt@xxxxxxxxxx>
>
> commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
>
> Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
> with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
> In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
> roundup_pow_of_two is documented as undefined for 0.
>
> Fix it in the one caller that had this combination.
>
> The undefined behavior was detected by UBSAN:
> UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
> Hardware name: Abacus electric, s.r.o. - servis@xxxxxxxxx Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x30
> __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
> __roundup_pow_of_two+0x25/0x35 [bnxt_re]
> bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
> bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
> bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? __kmalloc+0x1b6/0x4f0
> ? create_qp.part.0+0x128/0x1c0 [ib_core]
> ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
> create_qp.part.0+0x128/0x1c0 [ib_core]
> ib_create_qp_kernel+0x50/0xd0 [ib_core]
> create_mad_qp+0x8e/0xe0 [ib_core]
> ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
> ib_mad_init_device+0x2be/0x680 [ib_core]
> add_client_context+0x10d/0x1a0 [ib_core]
> enable_device_and_get+0xe0/0x1d0 [ib_core]
> ib_register_device+0x53c/0x630 [ib_core]
> ? srso_alias_return_thunk+0x5/0xfbef5
> bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
> ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
> auxiliary_bus_probe+0x49/0x80
> ? driver_sysfs_add+0x57/0xc0
> really_probe+0xde/0x340
> ? pm_runtime_barrier+0x54/0x90
> ? __pfx___driver_attach+0x10/0x10
> __driver_probe_device+0x78/0x110
> driver_probe_device+0x1f/0xa0
> __driver_attach+0xba/0x1c0
> bus_for_each_dev+0x8f/0xe0
> bus_add_driver+0x146/0x220
> driver_register+0x72/0xd0
> __auxiliary_driver_register+0x6e/0xd0
> ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
> bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
> ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
> do_one_initcall+0x5b/0x310
> do_init_module+0x90/0x250
> init_module_from_file+0x86/0xc0
> idempotent_init_module+0x121/0x2b0
> __x64_sys_finit_module+0x5e/0xb0
> do_syscall_64+0x82/0x160
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? syscall_exit_to_user_mode_prepare+0x149/0x170
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? syscall_exit_to_user_mode+0x75/0x230
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? do_syscall_64+0x8e/0x160
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? __count_memcg_events+0x69/0x100
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? count_memcg_events.constprop.0+0x1a/0x30
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? handle_mm_fault+0x1f0/0x300
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? do_user_addr_fault+0x34e/0x640
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x7f4e5132821d
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
> RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
> RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
> R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
> R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
> </TASK>
> ---[ end trace ]---
>
> Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
> Signed-off-by: Michal Schmidt <mschmidt@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@xxxxxxxxxx
> Acked-by: Selvin Xavier <selvin.xavier@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
> Signed-off-by: Xiangyu Chen <xiangyu.chen@xxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
I have not signed off on this backport, why did you add this here? You
do know what this is saying right?
Please work with your other kernel developers at your company for you
all to come up with a better workflow for doing all of these backports.
What you are doing here now just isn't working for us at all, sorry.
greg k-h
