summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorLeon Romanovsky <leonro@mellanox.com>2018-03-07 14:29:09 +0100
committerDoug Ledford <dledford@redhat.com>2018-03-07 21:23:43 +0100
commitaa0de36a40f446f5a21a7c1e677b98206e242edb (patch)
tree7696e6a93e1010bd05248b4b6c9bfa57189c9c21 /drivers
parentRDMA/ucma: Limit possible option size (diff)
downloadlinux-aa0de36a40f446f5a21a7c1e677b98206e242edb.tar.xz
linux-aa0de36a40f446f5a21a7c1e677b98206e242edb.zip
RDMA/mlx5: Fix integer overflow while resizing CQ
The user can provide very large cqe_size which will cause to integer overflow as it can be seen in the following UBSAN warning: Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/hw/mlx5/cq.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
index b5cfdaa9c7c8..15457c9569a7 100644
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
if (ucmd.reserved0 || ucmd.reserved1)
return -EINVAL;
- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+ /* check multiplication overflow */
+ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+ return -EINVAL;
+
+ umem = ib_umem_get(context, ucmd.buf_addr,
+ (size_t)ucmd.cqe_size * entries,
IB_ACCESS_LOCAL_WRITE, 1);
if (IS_ERR(umem)) {
err = PTR_ERR(umem);