diff options
author | Kamenee Arumugame <kamenee.arumugam@intel.com> | 2017-08-13 08:08:46 -0700 |
---|---|---|
committer | Doug Ledford <dledford@redhat.com> | 2017-08-22 14:22:37 -0400 |
commit | ec0d8b8a63ee760bca1bccc6769d6210e05ded29 (patch) | |
tree | 29e222aa1b4d09dedeea1692298674285d91dfec /drivers/infiniband/hw/hfi1 | |
parent | 76ae6222a4a37098610c0601a814c9caba94ba0b (diff) |
IB/hfi1: Stricter bounds checking of MAD trap index
The macro size is valid. This change makes it less ambiguous.
Bounds check trap type for better security.
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Kamenee Arumugam <kamenee.arumugam@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband/hw/hfi1')
-rw-r--r-- | drivers/infiniband/hw/hfi1/mad.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/hfi1/mad.c b/drivers/infiniband/hw/hfi1/mad.c index 37b19bfae02a..661ba707fc60 100644 --- a/drivers/infiniband/hw/hfi1/mad.c +++ b/drivers/infiniband/hw/hfi1/mad.c @@ -151,13 +151,24 @@ static struct trap_node *check_and_add_trap(struct hfi1_ibport *ibp, unsigned long flags; unsigned long timeout; int found = 0; + unsigned int queue_id; + static int trap_count; + + queue_id = trap->data.generic_type & 0x0F; + if (queue_id >= RVT_MAX_TRAP_LISTS) { + trap_count++; + pr_err_ratelimited("hfi1: Invalid trap 0x%0x dropped. Total dropped: %d\n", + trap->data.generic_type, trap_count); + kfree(trap); + return NULL; + } /* * Since the retry (handle timeout) does not remove a trap request * from the list, all we have to do is compare the node. */ spin_lock_irqsave(&ibp->rvp.lock, flags); - trap_list = &ibp->rvp.trap_lists[trap->data.generic_type & 0x0F]; + trap_list = &ibp->rvp.trap_lists[queue_id]; list_for_each_entry(node, &trap_list->list, list) { if (node == trap) { |