IB/hfi1: Stricter bounds checking of MAD trap index

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The macro size is valid. This change makes it less ambiguous.
Bounds check trap type for better security.

Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Kamenee Arumugam <kamenee.arumugam@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>

authored by

Kamenee Arumugame and committed by

Doug Ledford 8 years ago ec0d8b8a 76ae6222

+13 -2

2 changed files

expand all

drivers

infiniband

hfi1

mad.c

include

rdma

rdma_vt.h

+12 -1

drivers/infiniband/hw/hfi1/mad.c

··· 151 151 unsigned long flags; 152 152 unsigned long timeout; 153 153 int found = 0; 154 + unsigned int queue_id; 155 + static int trap_count; 156 + 157 + queue_id = trap->data.generic_type & 0x0F; 158 + if (queue_id >= RVT_MAX_TRAP_LISTS) { 159 + trap_count++; 160 + pr_err_ratelimited("hfi1: Invalid trap 0x%0x dropped. Total dropped: %d\n", 161 + trap->data.generic_type, trap_count); 162 + kfree(trap); 163 + return NULL; 164 + } 154 165 155 166 /* 156 167 * Since the retry (handle timeout) does not remove a trap request 157 168 * from the list, all we have to do is compare the node. 158 169 */ 159 170 spin_lock_irqsave(&ibp->rvp.lock, flags); 160 - trap_list = &ibp->rvp.trap_lists[trap->data.generic_type & 0x0F]; 171 + trap_list = &ibp->rvp.trap_lists[queue_id]; 161 172 162 173 list_for_each_entry(node, &trap_list->list, list) { 163 174 if (node == trap) {

+1 -1

include/rdma/rdma_vt.h

··· 64 64 #define RVT_MAX_PKEY_VALUES 16 65 65 66 66 #define RVT_MAX_TRAP_LEN 100 /* Limit pending trap list */ 67 - #define RVT_MAX_TRAP_LISTS ((IB_NOTICE_TYPE_INFO & 0x0F) + 1) 67 + #define RVT_MAX_TRAP_LISTS 5 /*((IB_NOTICE_TYPE_INFO & 0x0F) + 1)*/ 68 68 #define RVT_TRAP_TIMEOUT 4096 /* 4.096 usec */ 69 69 70 70 struct trap_list {