Commit fbb6a66c authored Jul 18, 2024 by Patrisious Haddad Committed by Liu Jian Jul 18, 2024

RDMA/mlx5: Add check for srq max_sge attribute

stable inclusion
from stable-v5.10.221
commit 7186b81c1f15e39069b1af172c6a951728ed3511
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS56
CVE: CVE-2024-40990

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7186b81c1f15e39069b1af172c6a951728ed3511



---------------------------

[ Upstream commit 36ab7ada64caf08f10ee5a114d39964d1f91e81d ]

max_sge attribute is passed by the user, and is inserted and used
unchecked, so verify that the value doesn't exceed maximum allowed value
before using it.

Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://lore.kernel.org/r/277ccc29e8d57bfd53ddeb2ac633f2760cf8cdd0.1716900410.git.leon@kernel.org


Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent dc1965ad

drivers/infiniband/hw/mlx5/srq.c

+9 −6

Original line number	Diff line number	Diff line
		@@ -225,12 +225,15 @@ int mlx5_ib_create_srq(struct ib_srq *ib_srq,
		int err;
		struct mlx5_srq_attr in = {};
		__u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
		__u32 max_sge_sz = MLX5_CAP_GEN(dev->mdev, max_wqe_sz_rq) /
		sizeof(struct mlx5_wqe_data_seg);

		/* Sanity check SRQ size before proceeding */
		if (init_attr->attr.max_wr >= max_srq_wqes) {
		mlx5_ib_dbg(dev, "max_wr %d, cap %d\n",
		init_attr->attr.max_wr,
		max_srq_wqes);
		/* Sanity check SRQ and sge size before proceeding */
		if (init_attr->attr.max_wr >= max_srq_wqes \|\|
		init_attr->attr.max_sge > max_sge_sz) {
		mlx5_ib_dbg(dev, "max_wr %d,wr_cap %d,max_sge %d, sge_cap:%d\n",
		init_attr->attr.max_wr, max_srq_wqes,
		init_attr->attr.max_sge, max_sge_sz);
		return -EINVAL;
		}