From nobody Wed Dec 17 21:25:20 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BB46C41513 for ; Wed, 16 Aug 2023 08:34:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242887AbjHPIeM (ORCPT ); Wed, 16 Aug 2023 04:34:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57476 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243067AbjHPIdl (ORCPT ); Wed, 16 Aug 2023 04:33:41 -0400 Received: from out-10.mta1.migadu.com (out-10.mta1.migadu.com [95.215.58.10]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21B6F2719 for ; Wed, 16 Aug 2023 01:33:22 -0700 (PDT) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1692174798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uYnqDLoRJvJeZ1bXp0N97xRehL/FT+MxAZrkDB8mRIA=; b=mrJMbOUz9XeM1gRa8KyZu8tojWMrDYayiJ0Zrc40Q+FD8IapOXuJZZO0ig8bD4PorOSppN n1wqXcOLoeKpmWEMNgReox50bQ36T4JXWwAAL5kx3jQRksl/8o1ocu8oU6CqM9zLu1ENIw Do+ifzql0P+Bp+e/PQSSAbiXf2rVqyo= From: Yajun Deng To: kurt.schwemmer@microsemi.com, logang@deltatee.com, jdmason@kudzu.us, dave.jiang@intel.com, allenbh@gmail.com Cc: linux-pci@vger.kernel.org, ntb@lists.linux.dev, linux-kernel@vger.kernel.org, Yajun Deng Subject: [PATCH] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Date: Wed, 16 Aug 2023 16:33:05 +0800 Message-Id: <20230816083305.1426718-1-yajun.deng@linux.dev> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 s= ize 0x0000000000000000 [ 23.734158] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_swi= tchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT. Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer i= n mw_set_trans()") Signed-off-by: Yajun Deng Reviewed-by: Logan Gunthorpe --- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/n= tb_hw_switchtec.c index d6bbcc7b5b90..21468d4fef64 100644 --- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c @@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *n= tb, int pidx, int widx, if (size !=3D 0 && xlate_pos < 12) return -EINVAL; =20 - if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { + if (xlate_pos >=3D 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { /* * In certain circumstances we can get a buffer that is * not aligned to its size. (Most of the time --=20 2.25.1