github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
b6612a3dba
linux/include
History
Dan Carpenter 027253315d RDMA/uverbs: Prevent potential underflow 
[ Upstream commit a9018adfde ]

The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function.  We check that:

        if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {

But we don't check if "attr.comp_vector" is negative.  It could
potentially lead to an array underflow.  My concern would be where
cq->vector is used in the create_cq() function from the cxgb4 driver.

And really "attr.comp_vector" is appears as a u32 to user space so that's
the right type to use.

Fixes: 9ee79fce36 ("IB/core: Add completion queue (cq) object actions")
Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-11-12 19:20:58 +01:00
..
acpi ACPICA: ACPI 6.3: PPTT add additional fields in Processor Structure Flags 2019-10-17 13:45:33 -07:00
asm-generic asm-generic: fix -Wtype-limits compiler warnings 2019-08-25 10:47:58 +02:00
clocksource
crypto crypto: speck - remove Speck 2018-11-13 11:08:46 -08:00
drm drm/vblank: Allow dynamic per-crtc max_vblank_count 2019-09-16 08:22:04 +02:00
dt-bindings ARM: SoC: late updates 2018-08-25 14:12:36 -07:00
keys keys: Fix dependency loop between construction record and auth key 2019-03-23 20:09:48 +01:00
kvm KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block 2019-08-25 10:47:59 +02:00
linux mm: thp: handle page cache THP correctly in PageTransCompoundMap 2019-11-12 19:20:36 +01:00
math-emu
media media: cec/v4l2: move V4L2 specific CEC functions to V4L2 2019-09-16 08:21:46 +02:00
memory
misc
net netfilter: nf_tables: Align nft_expr private data to 64-bit 2019-11-12 19:20:41 +01:00
pcmcia pcmcia: remove long deprecated pcmcia_request_exclusive_irq() function 2018-08-18 12:30:42 -07:00
ras
rdma RDMA/uverbs: Prevent potential underflow 2019-11-12 19:20:58 +01:00
scsi scsi: core: save/restore command resid for error handling 2019-10-29 09:19:49 +01:00
soc soc: fsl: qbman: add APIs to retrieve the probing status 2018-09-27 15:43:35 -05:00
sound ASoC: Define a set of DAPM pre/post-up events 2019-10-11 18:20:47 +02:00
target scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long enough 2019-01-26 09:32:38 +01:00
trace rxrpc: Fix trace-after-put looking at the put peer record 2019-11-06 13:06:24 +01:00
uapi netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info 2019-09-21 07:16:55 +02:00
video udlfb: introduce a rendering mutex 2019-05-25 18:23:30 +02:00
xen xen/events: fix binding user event channels to cpus 2019-07-26 09:14:25 +02:00