Dan Carpenter 027253315d RDMA/uverbs: Prevent potential underflow ... [ Upstream commit a9018adfde ] The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that: if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) { But we don't check if "attr.comp_vector" is negative. It could potentially lead to an array underflow. My concern would be where cq->vector is used in the create_cq() function from the cxgb4 driver. And really "attr.comp_vector" is appears as a u32 to user space so that's the right type to use. Fixes: 9ee79fce36 ("IB/core: Add completion queue (cq) object actions") Link: https://lore.kernel.org/r/20191011133419.GA22905@mwanda Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2019-11-12 19:20:58 +01:00
..
ib.h	RDMA/core: Return bool instead of int	2018-07-30 20:49:04 -06:00
ib_addr.h	RDMA/core: Constify dst_addr argument	2018-07-30 20:49:04 -06:00
ib_cache.h	RDMA/smc: Replace ib_query_gid with rdma_get_gid_attr	2018-08-17 16:45:51 -06:00
ib_cm.h	RDMA/cma: Constify path record, ib_cm_event, listen_id pointers	2018-07-30 20:49:04 -06:00
ib_fmr_pool.h
ib_hdrs.h	IB/hfi1: Remove unnecessary fecn and becn fields	2018-02-01 15:43:29 -07:00
ib_mad.h	RDMA: Fix storage of PortInfo CapabilityMask in the kernel	2018-07-10 11:06:45 -06:00
ib_marshall.h	IB/core: Convert ah_attr from OPA to IB when copying to user	2017-08-08 14:47:18 -04:00
ib_pack.h	IB/core: Fix calculation of maximum RoCE MTU	2017-10-18 12:11:36 -04:00
ib_pma.h	IB/core: Display extended counter set if available	2015-12-23 15:58:30 -05:00
ib_sa.h	IB/cm: Replace members of sa_path_rec with 'struct sgid_attr *'	2018-06-25 14:19:57 -06:00
ib_smi.h	IB/core: Move SM class defines from ib_mad.h to ib_smi.h	2015-09-03 15:50:32 -04:00
ib_umem.h	IB/umem: Use the correct mm during ib_umem_release	2018-05-15 17:09:10 -06:00
ib_umem_odp.h	mm, oom: distinguish blockable mode for mmu notifiers	2018-08-22 10:52:44 -07:00
ib_verbs.h	RDMA/uverbs: Prevent potential underflow	2019-11-12 19:20:58 +01:00
iw_cm.h	rdma_cm: add rdma_reject_msg() helper function	2016-12-14 11:38:28 -05:00
iw_portmap.h
mr_pool.h	IB/core: add a simple MR pool	2016-05-13 13:37:18 -04:00
opa_addr.h	include/rdma/opa_addr.h: Fix an endianness issue	2018-07-03 14:11:34 -06:00
opa_port_info.h	IB/hfi1: Virtual Network Interface Controller (VNIC) HW support	2017-04-20 15:19:35 -04:00
opa_smi.h	IB/mad: Eliminate redundant SM class version defines for OPA	2016-12-14 11:01:58 -05:00
opa_vnic.h	IB/hfi1: Add support to receive 16B bypass packets	2017-08-22 14:22:37 -04:00
rdma_cm.h	RDMA/core: Constify dst_addr argument	2018-07-30 20:49:04 -06:00
rdma_cm_ib.h	RDMA/{cma, ucma}: Simplify and rename rdma_set_ib_paths	2018-01-10 22:00:33 -07:00
rdma_netlink.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
rdma_vt.h	IB/{hfi1, rdmavt, qib}: Implement CQ completion vector support	2018-05-09 15:53:30 -04:00
rdmavt_cq.h	IB/{hfi1, rdmavt, qib}: Implement CQ completion vector support	2018-05-09 15:53:30 -04:00
rdmavt_mr.h	IB/rdmavt: Handle dereg of inuse MRs properly	2017-08-28 19:12:31 -04:00
rdmavt_qp.h	IB/rdmavt, IB/hfi1: Create device dependent s_flags	2018-06-19 11:49:46 -06:00
restrack.h	RDMA/restrack: Change SPDX tag to properly reflect license	2018-06-05 14:04:20 -06:00
rw.h	rdma core: Add rdma_rw_mr_payload()	2017-09-05 15:15:30 -04:00
uverbs_ioctl.h	IB/uverbs: Remove struct uverbs_root_spec and all supporting code	2018-08-13 09:17:19 -06:00
uverbs_named_ioctl.h	IB/mlx5: Introduce driver create and destroy flow methods	2018-07-24 14:03:49 -06:00
uverbs_std_types.h	IB/uverbs: Use uverbs_api to manage the object type inside the uobject	2018-08-10 16:06:24 -06:00
uverbs_types.h	IB/uverbs: Use uverbs_api to manage the object type inside the uobject	2018-08-10 16:06:24 -06:00