diff options
| author | Leon Romanovsky <leonro@mellanox.com> | 2018-03-07 15:29:09 +0200 |
|---|---|---|
| committer | Sasha Levin <alexander.levin@microsoft.com> | 2018-03-20 23:49:49 -0400 |
| commit | fc0be83edd94e31303a8b1b89b4d624a8b99c28f (patch) | |
| tree | ccdcb17431c735f13e63a44d56331430de03e1cb /drivers | |
| parent | 7562b58c6ab6e852cae4f4bdf3c90de34d7f672a (diff) | |
RDMA/mlx5: Fix integer overflow while resizing CQ
[ Upstream commit aa0de36a40f446f5a21a7c1e677b98206e242edb ]
The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/infiniband/hw/mlx5/cq.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c index 2ee6b1051975..ca920c633f25 100644 --- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -959,7 +959,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem); |