Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 19773539 authored by Roland Dreier's avatar Roland Dreier
Browse files

IB/mthca: Avoid integer overflow when dealing with profile size 



mthca_make_profile() returns the size in bytes of the HCA context
layout it creates, or a negative value if an error occurs.  However,
the return value is declared as u64 and the memfree initialization
path casts this value to int to test if it is negative.  This makes it
think incorrectly than an error has occurred if the context size
happens to be bigger than 2GB, since this turns into a negative int.

Fix this by having mthca_make_profile() return an s64 and testing
for an error by checking whether this 64-bit value itself is negative.

Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent f4f82994

drivers/infiniband/hw/mthca/mthca_main.c

+7 −4
Original line number Diff line number Diff line
@@ -276,6 +276,7 @@ static int mthca_dev_lim(struct mthca_dev *mdev, struct mthca_dev_lim *dev_lim) 


static int mthca_init_tavor(struct mthca_dev *mdev)

{

	s64 size;

	u8 status;

	int err;

	struct mthca_dev_lim        dev_lim;
@@ -328,9 +329,11 @@ static int mthca_init_tavor(struct mthca_dev *mdev) 
	if (mdev->mthca_flags & MTHCA_FLAG_SRQ)

		profile.num_srq = dev_lim.max_srqs;



	err = mthca_make_profile(mdev, &profile, &dev_lim, &init_hca);

	if (err < 0)

	size = mthca_make_profile(mdev, &profile, &dev_lim, &init_hca);

	if (size < 0) {

		err = size;

		goto err_disable;

	}



	err = mthca_INIT_HCA(mdev, &init_hca, &status);

	if (err) {
@@ -609,7 +612,7 @@ static int mthca_init_arbel(struct mthca_dev *mdev) 
	struct mthca_dev_lim        dev_lim;

	struct mthca_profile        profile;

	struct mthca_init_hca_param init_hca;

	u64 icm_size;

	s64 icm_size;

	u8 status;

	int err;
@@ -657,7 +660,7 @@ static int mthca_init_arbel(struct mthca_dev *mdev) 
		profile.num_srq = dev_lim.max_srqs;



	icm_size = mthca_make_profile(mdev, &profile, &dev_lim, &init_hca);

	if ((int) icm_size < 0) {

	if (icm_size < 0) {

		err = icm_size;

		goto err_stop_fw;

	}

drivers/infiniband/hw/mthca/mthca_profile.c

+2 −2
Original line number Diff line number Diff line
@@ -63,7 +63,7 @@ enum { 
	MTHCA_NUM_PDS = 1 << 15

};



u64 mthca_make_profile(struct mthca_dev *dev,

s64 mthca_make_profile(struct mthca_dev *dev,

		       struct mthca_profile *request,

		       struct mthca_dev_lim *dev_lim,

		       struct mthca_init_hca_param *init_hca)
@@ -77,7 +77,7 @@ u64 mthca_make_profile(struct mthca_dev *dev, 
	};



	u64 mem_base, mem_avail;

	u64 total_size = 0;

	s64 total_size = 0;

	struct mthca_resource *profile;

	struct mthca_resource tmp;

	int i, j;

drivers/infiniband/hw/mthca/mthca_profile.h

+1 −1
Original line number Diff line number Diff line
@@ -53,7 +53,7 @@ struct mthca_profile { 
	int fmr_reserved_mtts;

};



u64 mthca_make_profile(struct mthca_dev *mdev,

s64 mthca_make_profile(struct mthca_dev *mdev,

		       struct mthca_profile *request,

		       struct mthca_dev_lim *dev_lim,

		       struct mthca_init_hca_param *init_hca);