Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3545795pxj;
        Mon, 24 May 2021 09:05:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwajcC4ExtWSconBFo++oT6e/ZQPQQh7z8enJej416vBtu7ulvLfcsGYS8MjDmtHD+wNe+Z
X-Received: by 2002:a05:6e02:ca7:: with SMTP id 7mr14960651ilg.210.1621872310258;
        Mon, 24 May 2021 09:05:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621872310; cv=none;
        d=google.com; s=arc-20160816;
        b=AcOCeHjAX5CiiOVBqmuFfZb4IYRhrrbNqT5TvflYTPKxaQlrwWBUU7tGHEowmdqYsT
         dI6N5PSMV3G9Vw2eM2hJqsO3o7oAyR2WJdUlbnNuhPw0Kdg3sGkbHkLM7p/Jo/+ri6qV
         5xQc4jDfTkQ6l+KWbAqXoMth1LlVD+FXj0r8CyJ5zbrEQbHOJW+JRtsLTc9fYOOx3XMm
         JSQ8RIPEH54BoGN680LchkyEBkV/DWhfTxXH1QLvz0LBBnW4GFXJwb+8MOnuM91tOYGQ
         1e/dK0uUJV9ObudoCl27ci7a9FJZ3jd9HeRHjllweSD6CLNAyudr1tU0kaQKhJnwHpb7
         p2qQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=rOxgJBSQApzVf70z3fDm7zAZfnIY6TVwa7J0hQrjLKw=;
        b=ioa4+UB2GZKX9pNdrkDyig3u0EggVzOiqZ8wXf5l/+031+xd2aisIywvA5eOBpaRIF
         qNQgJwzDY2+pE4VKw8X1lqKwruEHQwhPDS52hozmesfHTGGJ9BWKMDCkqRQ60FdWd6sJ
         oAi9hU1h4vKHgR+LM0F+zZMBuRmx+FpxSpwpH1b+kmvNPGllfYO4hpnGvbFtTFG5/nUJ
         jKwITpWDVfFUt/6dT/p6gJUEzCZ9v+gr43b0sMUy2tcGem8ZZKv6tS6L6C/wkIAwWA7n
         NK/UEELCgAe/mRiTzru3QZm/W7fEtqdvSChOwJwFy7lddffnQ2Kt2cQC1QIONaHzq+L8
         0sIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RvpJcJ8Q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k64si14352424iof.43.2021.05.24.09.04.49;
        Mon, 24 May 2021 09:05:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RvpJcJ8Q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236335AbhEXQEN (ORCPT <rfc822;lstoakes@gmail.com> + 99 others);
        Mon, 24 May 2021 12:04:13 -0400
Received: from mail.kernel.org ([198.145.29.99]:43814 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234769AbhEXP50 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 May 2021 11:57:26 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id B33D461952;
        Mon, 24 May 2021 15:43:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621871016;
        bh=g4WznfC1RMud/RVC4tEowcseFD//o/MAWnIuwiNWWSA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=RvpJcJ8QvGn/KzgY8DDk77QNT3g5kGJQ/p8Is2qKawvIxPoZVeFnNGLqxv68R/Owj
         3PmH7x/3e3XExwnjvMHES6lujEt/WiA3iwqZ0dJSSxQhOFu+gJwYoWfc9+f1n7cfkM
         XV1qprxreLgQ8VVEO3f1TX3WLvpuolY4AUjd/Xvo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jason Gunthorpe <jgg@nvidia.com>,
        Leon Romanovsky <leonro@nvidia.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.12 007/127] RDMA/core: Prevent divide-by-zero error triggered by the user
Date:   Mon, 24 May 2021 17:25:24 +0200
Message-Id: <20210524152335.108504796@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210524152334.857620285@linuxfoundation.org>
References: <20210524152334.857620285@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Leon Romanovsky <leonro@nvidia.com>

[ Upstream commit 54d87913f147a983589923c7f651f97de9af5be1 ]

The user_entry_size is supplied by the user and later used as a
denominator to calculate number of entries. The zero supplied by the user
will trigger the following divide-by-zero error:

 divide error: 0000 [#1] SMP KASAN PTI
 CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510
 Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b
 RSP: 0018:ffff88810416f828 EFLAGS: 00010246
 RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d
 RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000
 RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f
 R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0
 FS:  00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0
  ib_uverbs_cmd_verbs+0x1546/0x1940
  ib_uverbs_ioctl+0x186/0x240
  __x64_sys_ioctl+0x38a/0x1220
  do_syscall_64+0x3f/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 9f85cbe50aa0 ("RDMA/uverbs: Expose the new GID query API to user space")
Link: https://lore.kernel.org/r/b971cc70a8b240a8b5eda33c99fa0558a0071be2.1620657876.git.leonro@nvidia.com
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/core/uverbs_std_types_device.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c
index 9ec6971056fa..a03021d94e11 100644
--- a/drivers/infiniband/core/uverbs_std_types_device.c
+++ b/drivers/infiniband/core/uverbs_std_types_device.c
@@ -331,6 +331,9 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QUERY_GID_TABLE)(
 	if (ret)
 		return ret;
 
+	if (!user_entry_size)
+		return -EINVAL;
+
 	max_entries = uverbs_attr_ptr_get_array_size(
 		attrs, UVERBS_ATTR_QUERY_GID_TABLE_RESP_ENTRIES,
 		user_entry_size);
-- 
2.30.2