212991 – A possible divide by zero in calc_sq_size

Bug 212991 - A possible divide by zero in calc_sq_size

Summary: A possible divide by zero in calc_sq_size

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Infiniband/RDMA (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	drivers_infiniband-rdma

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-08 10:41 UTC by YiyuanGUO
Modified:	2021-05-10 14:33 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.12.2
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description YiyuanGUO 2021-05-08 10:41:37 UTC

In the file drivers/infiniband/hw/mlx5/qp.c, the function calc_sq_size has the following code(link to code location: https://github.com/torvalds/linux/blob/master/drivers/infiniband/hw/mlx5/qp.c#L510):

static int calc_sq_size(struct mlx5_ib_dev *dev, struct ib_qp_init_attr *attr,
			struct mlx5_ib_qp *qp) {
   ...
   wqe_size = calc_send_wqe(attr);
   ...
   qp->sq.max_post = wq_size / wqe_size;
}


static int calc_send_wqe(struct ib_qp_init_attr *attr)
{
	int inl_size = 0;
	int size;

	size = sq_overhead(attr);
	if (size < 0)
		return size;

	if (attr->cap.max_inline_data) {
		inl_size = size + sizeof(struct mlx5_wqe_inline_seg) +
			attr->cap.max_inline_data;
	}

	size += attr->cap.max_send_sge * sizeof(struct mlx5_wqe_data_seg);
	if (attr->create_flags & IB_QP_CREATE_INTEGRITY_EN &&
	    ALIGN(max_t(int, inl_size, size), MLX5_SEND_WQE_BB) < MLX5_SIG_WQE_SIZE)
		return MLX5_SIG_WQE_SIZE;
	else
		return ALIGN(max_t(int, inl_size, size), MLX5_SEND_WQE_BB);
}

The function calc_send_wqe may return 0 (when attr->qp_type == IB_QPT_XRC_TGT && attr->cap.max_send_sge == 0), leading to a possible divide by zero problem.

Note You need to log in before you can comment on or make changes to this bug.