Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa0de36a authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Doug Ledford
Browse files

RDMA/mlx5: Fix integer overflow while resizing CQ 



The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:

Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 6a21dfc0

drivers/infiniband/hw/mlx5/cq.c

+6 −1
Original line number Diff line number Diff line
@@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, 
	if (ucmd.reserved0 || ucmd.reserved1)

		return -EINVAL;



	umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,

	/* check multiplication overflow */

	if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)

		return -EINVAL;



	umem = ib_umem_get(context, ucmd.buf_addr,

			   (size_t)ucmd.cqe_size * entries,

			   IB_ACCESS_LOCAL_WRITE, 1);

	if (IS_ERR(umem)) {

		err = PTR_ERR(umem);