git.baikalelectronics.ru Git - kernel.git/commit

author	Bernard Metzler <bmt@zurich.ibm.com>
	Tue, 15 Nov 2022 17:07:47 +0000 (18:07 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 18 Jan 2023 10:41:18 +0000 (11:41 +0100)
commit	cff1a55c2170e05e266b267642cbc2e30f2f7119
tree	2228f506126119e0f65d82923bc5070f190d0d42	tree \| snapshot
parent	5ca0ab9b876a57f78edf2b939aca3dfd26c1e30b	commit \| diff

RDMA/siw: Set defined status for work completion with undefined status

[ Upstream commit afc2de203f9af1dc6c88a1e31e80785458d25282 ]

A malicious user may write undefined values into memory mapped completion
queue elements status or opcode. Undefined status or opcode values will
result in out-of-bounds access to an array mapping siw internal
representation of opcode and status to RDMA core representation when
reaping CQ elements. While siw detects those undefined values, it did not
correctly set completion status to a defined value, thus defeating the
whole purpose of the check.

This bug leads to the following Smatch static checker warning:

drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
error: buffer overflow 'map_cqe_status' 10 <= 21

Fixes: dea9bbff8155 ("RDMA/siw: Fix immediate work request flush to completion queue")
Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@zurich.ibm.com
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>