Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp413020lqo; Wed, 8 May 2024 03:53:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWtXyCgm2T0ZUWQ2E1iGN1QgKeMFtjD0ZELt8llfXgy7NSp0Lt6L6zj8FMTJ5Cs/SRtz1piypawrJStduGrVq+Hnfucao4g+sD4IGu+5Q== X-Google-Smtp-Source: AGHT+IGmTqBmXUAZaQZQv72jNgBGfDzuuRd1JBDPh43lwMl3fj1VPFoh1uOMow8wD2njsbNjRYR0 X-Received: by 2002:a17:902:db06:b0:1e3:cfc5:589e with SMTP id d9443c01a7336-1eeb07973e4mr27486915ad.64.1715165632307; Wed, 08 May 2024 03:53:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715165632; cv=pass; d=google.com; s=arc-20160816; b=dr4HhdlX2b69RoVzVpQFMYFG2yVoqNBu6RVUFeQE76Y5fI6rE62lydivKCi1LpP5dD il273YzNoyw/L3dB1irEbP337IqcLbAn1r/HVbz2Tj40gPFHONF27s/trQB8wD1HZX4C Xb1xGnuFkyUchFLbQR4wAGmjue+tAv9kSliaC48YdMIN59NPN2UTqm/VsdlvzVhiEkuZ 0/TLIMgq/+zagj+2rBQfpJn5jiHMKt09aQ01LLLO0GBSZqsSRrnTmmA4cms9sHmPDGUI TA17nnFGsa+JEzsAIf1sExT9sZW7UqJgKddOAaQ/zi1dhWb+4C1Ey8/13R/nKLIkVXF1 Ne4Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=VfVNQ1gPOnbrTrzSG4E66fGz4955NPz/TeNTCQqti1g=; fh=r50b18O6uFHpJYLPMXsnCZHFlVgfqi25g3kOlZ9D59M=; b=HmU6+eFIviPqmjIkGbCZCJ6FTQDrMYS9m3a9sSGs9Q3wfXUpmLS3IiH+Oq6cuUD+Kn rdwFtgiZC3PiPMJxdUR876kQyjqfbcSDzPZv4WreYOYouxNU8xGup9OKNdwHNNttLuL6 MUATKDDf96aklWmd5YPzUPLmUl53VsLIlCslndGKchAB1GbNsO3uecYqGLTzIW1KOC73 yvMACl+JeM7cAsdVeaNkQPXVFwnckF8Z5Us1aH2lSwLi0y9zT8YaA68Jtrh4fCsKs5mz d8AauIoVtbMIlU81ZqKfXixk10h40o5UebMq1AfYKog2nCdGqjPjUmDifo+g++4sazYt c61Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=txlVMkld; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-173088-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173088-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id x9-20020a170902a38900b001ed3ad04f66si10383946pla.459.2024.05.08.03.53.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 03:53:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-173088-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=txlVMkld; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-173088-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173088-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B3C07284097 for ; Wed, 8 May 2024 10:53:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 592C08174C; Wed, 8 May 2024 10:53:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="txlVMkld" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D00B7BAF0; Wed, 8 May 2024 10:53:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715165623; cv=none; b=l24uJY+xEVIA8f19XeX9giKyIEfE5GSpb9+IY8NPFNV/kIXWyAYDuXGhmEPzpifkoAasKqtiFlUmZZ2hGEx1Y5OKzCr+E5V/zW8cUlVkVdg4+0HnOAP2tqklSrswKAnDNJHDYu3fVnr7pTY+hj0tuGsffQOGdPH9EnRnP38S7J4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715165623; c=relaxed/simple; bh=KOQpHNBCks/LGlTh8RZWhS7DIBGluIXBODlbayuaLUk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=IYDzkDfQTqDK5mCkL21gqwflkc6xpv1hiKc454lksqD8SGMbOlMIfEynRbl9p4oh8w6VIV2XzOUosX63cleUBu3+Jl1JGDyWpJqWpzziCZNa3p4xQPHsTqO0r+IAzD3A0Pn3u1espetFUKCIRkDuoDNewV7nncp3uLgB8YiylqM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=txlVMkld; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8872C3277B; Wed, 8 May 2024 10:53:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715165623; bh=KOQpHNBCks/LGlTh8RZWhS7DIBGluIXBODlbayuaLUk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=txlVMkldtVOKxjBZyZwaoLQITBKQ6iVwL4gwIkgEv4iIqPGm8u84Rdr+J94amJfPL n5GRy9ge8oW4FYpC5yNzq6M6fZKZrpoK7+oEcn3Ywb0z863HRMXpoaJYUJDxa+18mn bE+mZOx+FMyxxQ9k2WAXBnJN4T12z6DeeL7O/WLpzvX9t7BOZN9+IKsYJMYF2Pt61U zG6LpemxoeaLQvfXApuo2X8RSJNgCvtQw3U9eZRMTHiNMErhZGHUnEqGIGEU1aFe2P iCnotzac8QKl8ZtxZ8WpRPzb2l3I4xAZyz0uigS2ECjPdqhDmxKHHziWwbQRfYoGZe EwKanVAp582dw== Date: Wed, 8 May 2024 13:53:34 +0300 From: Leon Romanovsky To: Michal Schmidt Cc: Selvin Xavier , Jason Gunthorpe , Devesh Sharma , Naresh Kumar PBS , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Message-ID: <20240508105334.GD78961@unreal> References: <20240507103929.30003-1-mschmidt@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240507103929.30003-1-mschmidt@redhat.com> On Tue, May 07, 2024 at 12:39:28PM +0200, Michal Schmidt wrote: > Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called > with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. > In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. > roundup_pow_of_two is documented as undefined for 0. > > Fix it in the one caller that had this combination. > > The undefined behavior was detected by UBSAN: > UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 > shift exponent 64 is too large for 64-bit type 'long unsigned int' > CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 > Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 > Call Trace: > > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x30 > __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec > __roundup_pow_of_two+0x25/0x35 [bnxt_re] > bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] > bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] > bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] > ? srso_alias_return_thunk+0x5/0xfbef5 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? __kmalloc+0x1b6/0x4f0 > ? create_qp.part.0+0x128/0x1c0 [ib_core] > ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] > create_qp.part.0+0x128/0x1c0 [ib_core] > ib_create_qp_kernel+0x50/0xd0 [ib_core] > create_mad_qp+0x8e/0xe0 [ib_core] > ? __pfx_qp_event_handler+0x10/0x10 [ib_core] > ib_mad_init_device+0x2be/0x680 [ib_core] > add_client_context+0x10d/0x1a0 [ib_core] > enable_device_and_get+0xe0/0x1d0 [ib_core] > ib_register_device+0x53c/0x630 [ib_core] > ? srso_alias_return_thunk+0x5/0xfbef5 > bnxt_re_probe+0xbd8/0xe50 [bnxt_re] > ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] > auxiliary_bus_probe+0x49/0x80 > ? driver_sysfs_add+0x57/0xc0 > really_probe+0xde/0x340 > ? pm_runtime_barrier+0x54/0x90 > ? __pfx___driver_attach+0x10/0x10 > __driver_probe_device+0x78/0x110 > driver_probe_device+0x1f/0xa0 > __driver_attach+0xba/0x1c0 > bus_for_each_dev+0x8f/0xe0 > bus_add_driver+0x146/0x220 > driver_register+0x72/0xd0 > __auxiliary_driver_register+0x6e/0xd0 > ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] > bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] > ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] > do_one_initcall+0x5b/0x310 > do_init_module+0x90/0x250 > init_module_from_file+0x86/0xc0 > idempotent_init_module+0x121/0x2b0 > __x64_sys_finit_module+0x5e/0xb0 > do_syscall_64+0x82/0x160 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? syscall_exit_to_user_mode_prepare+0x149/0x170 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? syscall_exit_to_user_mode+0x75/0x230 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? do_syscall_64+0x8e/0x160 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? __count_memcg_events+0x69/0x100 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? count_memcg_events.constprop.0+0x1a/0x30 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? handle_mm_fault+0x1f0/0x300 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? do_user_addr_fault+0x34e/0x640 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? srso_alias_return_thunk+0x5/0xfbef5 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > RIP: 0033:0x7f4e5132821d > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 > RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 > RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d > RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b > RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 > R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d > R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 > > ---[ end trace ]--- > > Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") > Signed-off-by: Michal Schmidt > --- > drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > index 439d0c7c5d0c..04258676d072 100644 > --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c > +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > @@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > hwq_attr.stride = sizeof(struct sq_sge); > hwq_attr.depth = bnxt_qplib_get_depth(sq); > hwq_attr.aux_stride = psn_sz; > - hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); > + hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) > + : 0; Looks correct to me. Let's wait for Selvin to ack/nack it. Thanks > /* Update msn tbl size */ > if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) { > hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode)); > -- > 2.44.0 >