RDMA/amso1100: Check for integer overflow in c2_alloc_cq_buf()

This is a static checker fix. The static checker says that q_size comes from the user and can be any 32 bit value. The call tree is: --> ib_uverbs_create_cq() --> c2_create_cq() --> c2_init_cq() Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Doug Ledford <dledford@redhat.com> Signed-off-by: N Roland Dreier <roland@purestorage.com>

RDMA/amso1100: Check for integer overflow in c2_alloc_cq_buf()
This is a static checker fix. The static checker says that q_size comes from the user and can be any 32 bit value. The call tree is: --> ib_uverbs_create_cq() --> c2_create_cq() --> c2_init_cq() Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Doug Ledford <dledford@redhat.com> Signed-off-by: N Roland Dreier <roland@purestorage.com>
859976da · Dan Carpenter · Roland Dreier · 64aa90f2 · 859976da
隐藏空白更改
内联并排

Showing with 5 addition and 2 deletion

drivers/infiniband/hw/amso1100/c2_cq.c drivers/infiniband/hw/amso1100/c2_cq.c +5 -2

未找到文件。
--- a/drivers/infiniband/hw/amso1100/c2_cq.c
+++ b/drivers/infiniband/hw/amso1100/c2_cq.c
@@ -260,11 +260,14 @@ static void c2_free_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq)
 			  mq->msg_pool.host, dma_unmap_addr(mq, mapping));
 }

-static int c2_alloc_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq, int q_size,
-			   int msg_size)
+static int c2_alloc_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq,
+			   size_t q_size, size_t msg_size)
 {
 	u8 *pool_start;

+	if (q_size > SIZE_MAX / msg_size)
+		return -EINVAL;
+
 	pool_start = dma_alloc_coherent(&c2dev->pcidev->dev, q_size * msg_size,
 					&mq->host_dma, GFP_KERNEL);
 	if (!pool_start)