Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ec0d8b8a authored by Kamenee Arumugame's avatar Kamenee Arumugame Committed by Doug Ledford
Browse files

IB/hfi1: Stricter bounds checking of MAD trap index 



The macro size is valid. This change makes it less ambiguous.
Bounds check trap type for better security.

Reviewed-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: default avatarKamenee Arumugam <kamenee.arumugam@intel.com>
Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 76ae6222

drivers/infiniband/hw/hfi1/mad.c

+12 −1
Original line number Diff line number Diff line
@@ -151,13 +151,24 @@ static struct trap_node *check_and_add_trap(struct hfi1_ibport *ibp, 
	unsigned long flags;

	unsigned long timeout;

	int found = 0;

	unsigned int queue_id;

	static int trap_count;



	queue_id = trap->data.generic_type & 0x0F;

	if (queue_id >= RVT_MAX_TRAP_LISTS) {

		trap_count++;

		pr_err_ratelimited("hfi1: Invalid trap 0x%0x dropped. Total dropped: %d\n",

				  trap->data.generic_type, trap_count);

		kfree(trap);

		return NULL;

	}



	/*

	 * Since the retry (handle timeout) does not remove a trap request

	 * from the list, all we have to do is compare the node.

	 */

	spin_lock_irqsave(&ibp->rvp.lock, flags);

	trap_list = &ibp->rvp.trap_lists[trap->data.generic_type & 0x0F];

	trap_list = &ibp->rvp.trap_lists[queue_id];



	list_for_each_entry(node, &trap_list->list, list) {

		if (node == trap) {

include/rdma/rdma_vt.h

+1 −1
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ 
#define RVT_MAX_PKEY_VALUES 16



#define RVT_MAX_TRAP_LEN 100 /* Limit pending trap list */

#define RVT_MAX_TRAP_LISTS ((IB_NOTICE_TYPE_INFO & 0x0F) + 1)

#define RVT_MAX_TRAP_LISTS 5 /*((IB_NOTICE_TYPE_INFO & 0x0F) + 1)*/

#define RVT_TRAP_TIMEOUT 4096 /* 4.096 usec */



struct trap_list {