| From aea96c66364a617eeb5357d86cd60a202e304ea4 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 1 Jul 2025 14:40:17 +0000 |
| Subject: vfio/mlx5: fix possible overflow in tracking max message size |
| |
| From: Artem Sadovnikov <a.sadovnikov@ispras.ru> |
| |
| [ Upstream commit b3060198483bac43ec113c62ae3837076f61f5de ] |
| |
| MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is |
| used as power of 2 for max_msg_size. This can lead to multiplication |
| overflow between max_msg_size (u32) and integer constant, and afterwards |
| incorrect value is being written to rq_size. |
| |
| Fix this issue by extending integer constant to u64 type. |
| |
| Found by Linux Verification Center (linuxtesting.org) with SVACE. |
| |
| Suggested-by: Alex Williamson <alex.williamson@redhat.com> |
| Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru> |
| Reviewed-by: Yishai Hadas <yishaih@nvidia.com> |
| Link: https://lore.kernel.org/r/20250701144017.2410-2-a.sadovnikov@ispras.ru |
| Signed-off-by: Alex Williamson <alex.williamson@redhat.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/vfio/pci/mlx5/cmd.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c |
| index 3f93b5c3f099..06794c48170c 100644 |
| --- a/drivers/vfio/pci/mlx5/cmd.c |
| +++ b/drivers/vfio/pci/mlx5/cmd.c |
| @@ -1127,8 +1127,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev, |
| log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size); |
| max_msg_size = (1ULL << log_max_msg_size); |
| /* The RQ must hold at least 4 WQEs/messages for successful QP creation */ |
| - if (rq_size < 4 * max_msg_size) |
| - rq_size = 4 * max_msg_size; |
| + if (rq_size < 4ULL * max_msg_size) |
| + rq_size = 4ULL * max_msg_size; |
| |
| memset(tracker, 0, sizeof(*tracker)); |
| tracker->uar = mlx5_get_uars_page(mdev); |
| -- |
| 2.39.5 |
| |
