diff options
author | Leon Romanovsky <leonro@mellanox.com> | 2018-03-07 15:29:09 +0200 |
---|---|---|
committer | Doug Ledford <dledford@redhat.com> | 2018-03-07 15:23:43 -0500 |
commit | aa0de36a40f446f5a21a7c1e677b98206e242edb (patch) | |
tree | 7696e6a93e1010bd05248b4b6c9bfa57189c9c21 /drivers/infiniband/hw/mlx5/cq.c | |
parent | 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c (diff) | |
download | op-kernel-dev-aa0de36a40f446f5a21a7c1e677b98206e242edb.zip op-kernel-dev-aa0de36a40f446f5a21a7c1e677b98206e242edb.tar.gz |
RDMA/mlx5: Fix integer overflow while resizing CQ
The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband/hw/mlx5/cq.c')
-rw-r--r-- | drivers/infiniband/hw/mlx5/cq.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c index b5cfdaa..15457c9 100644 --- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem); |