mirror of https://github.com/torvalds/linux.git
a9018adfde
The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function. We check that:
if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {
But we don't check if "attr.comp_vector" is negative. It could
potentially lead to an array underflow. My concern would be where
cq->vector is used in the create_cq() function from the cxgb4 driver.
And really "attr.comp_vector" is appears as a u32 to user space so that's
the right type to use.
Fixes:
|
||
|---|---|---|
| .. | ||
| ib.h | ||
| ib_addr.h | ||
| ib_cache.h | ||
| ib_cm.h | ||
| ib_fmr_pool.h | ||
| ib_hdrs.h | ||
| ib_mad.h | ||
| ib_marshall.h | ||
| ib_pack.h | ||
| ib_pma.h | ||
| ib_sa.h | ||
| ib_smi.h | ||
| ib_umem.h | ||
| ib_umem_odp.h | ||
| ib_verbs.h | ||
| iw_cm.h | ||
| iw_portmap.h | ||
| mr_pool.h | ||
| opa_addr.h | ||
| opa_port_info.h | ||
| opa_smi.h | ||
| opa_vnic.h | ||
| rdma_cm.h | ||
| rdma_cm_ib.h | ||
| rdma_counter.h | ||
| rdma_netlink.h | ||
| rdma_vt.h | ||
| rdmavt_cq.h | ||
| rdmavt_mr.h | ||
| rdmavt_qp.h | ||
| restrack.h | ||
| rw.h | ||
| signature.h | ||
| tid_rdma_defs.h | ||
| uverbs_ioctl.h | ||
| uverbs_named_ioctl.h | ||
| uverbs_std_types.h | ||
| uverbs_types.h | ||