summaryrefslogtreecommitdiff
path: root/drivers/infiniband/hw/hfi1
diff options
context:
space:
mode:
authorKamenee Arumugame <kamenee.arumugam@intel.com>2017-08-13 08:08:46 -0700
committerDoug Ledford <dledford@redhat.com>2017-08-22 14:22:37 -0400
commitec0d8b8a63ee760bca1bccc6769d6210e05ded29 (patch)
tree29e222aa1b4d09dedeea1692298674285d91dfec /drivers/infiniband/hw/hfi1
parent76ae6222a4a37098610c0601a814c9caba94ba0b (diff)
IB/hfi1: Stricter bounds checking of MAD trap index
The macro size is valid. This change makes it less ambiguous. Bounds check trap type for better security. Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com> Signed-off-by: Kamenee Arumugam <kamenee.arumugam@intel.com> Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com> Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband/hw/hfi1')
-rw-r--r--drivers/infiniband/hw/hfi1/mad.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/hfi1/mad.c b/drivers/infiniband/hw/hfi1/mad.c
index 37b19bfae02a..661ba707fc60 100644
--- a/drivers/infiniband/hw/hfi1/mad.c
+++ b/drivers/infiniband/hw/hfi1/mad.c
@@ -151,13 +151,24 @@ static struct trap_node *check_and_add_trap(struct hfi1_ibport *ibp,
unsigned long flags;
unsigned long timeout;
int found = 0;
+ unsigned int queue_id;
+ static int trap_count;
+
+ queue_id = trap->data.generic_type & 0x0F;
+ if (queue_id >= RVT_MAX_TRAP_LISTS) {
+ trap_count++;
+ pr_err_ratelimited("hfi1: Invalid trap 0x%0x dropped. Total dropped: %d\n",
+ trap->data.generic_type, trap_count);
+ kfree(trap);
+ return NULL;
+ }
/*
* Since the retry (handle timeout) does not remove a trap request
* from the list, all we have to do is compare the node.
*/
spin_lock_irqsave(&ibp->rvp.lock, flags);
- trap_list = &ibp->rvp.trap_lists[trap->data.generic_type & 0x0F];
+ trap_list = &ibp->rvp.trap_lists[queue_id];
list_for_each_entry(node, &trap_list->list, list) {
if (node == trap) {