RDMA/umem: Fix potential addition overflow (c6ce5807) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/infiniband/core/umem.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -85,6 +85,7 @@ struct ib_umem ib_umem_get(struct ib_ucontext context, unsigned long addr,
		struct page **page_list;
		struct vm_area_struct **vma_list;
		unsigned long lock_limit;
		unsigned long new_pinned;
		unsigned long cur_base;
		struct mm_struct *mm;
		unsigned long npages;
		@@ -160,12 +161,13 @@ struct ib_umem ib_umem_get(struct ib_ucontext context, unsigned long addr,
		lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;

		down_write(&mm->mmap_sem);
		mm->pinned_vm += npages;
		if ((mm->pinned_vm > lock_limit) && !capable(CAP_IPC_LOCK)) {
		if (check_add_overflow(mm->pinned_vm, npages, &new_pinned) \|\|
		(new_pinned > lock_limit && !capable(CAP_IPC_LOCK))) {
		up_write(&mm->mmap_sem);
		ret = -ENOMEM;
		goto vma;
		goto out;
		}
		mm->pinned_vm = new_pinned;
		up_write(&mm->mmap_sem);

		cur_base = addr & PAGE_MASK;