RDMA/umem: Fix potential addition overflow

mainline inclusion
from mainline-4.20-rc1
commit c6ce5807
category: bugfix
bugzilla: 6452
CVE: NA

--------------------------

Since Virtual Lanes BCT credits and MTU are set through separate MADs, we
Given a large enough memory allocation, it is possible to wrap the
pinned_vm counter.  Check for addition overflow to prevent such
eventualities.

Fixes: 40ddacf2 ("RDMA/umem: Don't hold mmap_sem for too long")
Reported-by: NJason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: NDoug Ledford <dledford@redhat.com>
Reviewed-by: NLeon Romanovsky <leonro@mellanox.com>
Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
Signed-off-by: NJing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/infiniband/core/umem.c

@@ -85,6 +85,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	struct page **page_list;
 	struct vm_area_struct **vma_list;
 	unsigned long lock_limit;
+	unsigned long new_pinned;
 	unsigned long cur_base;
 	unsigned long npages;
 	int ret;
@@ -148,12 +149,13 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
 
 	down_write(&current->mm->mmap_sem);
-	current->mm->pinned_vm += npages;
-	if ((current->mm->pinned_vm > lock_limit) && !capable(CAP_IPC_LOCK)) {
+	if (check_add_overflow(current->mm->pinned_vm, npages, &new_pinned) ||
+	    (new_pinned > lock_limit && !capable(CAP_IPC_LOCK))) {
 		up_write(&current->mm->mmap_sem);
 		ret = -ENOMEM;
-		goto vma;
+		goto out;
 	}
+	current->mm->pinned_vm = new_pinned;
 	up_write(&current->mm->mmap_sem);
 
 	cur_base = addr & PAGE_MASK;