On Thu, Oct 07, 2010 at 09:16:10AM +0200, Dan Carpenter wrote: > If we don't limit cmd.ne then the multiplications can overflow. This > will allocate a small amount of RAM successfully for the "resp" and > "wc" buffers. The heap will get corrupted when we call ib_poll_cq(). I think you could cap the number of returned entries to UVERBS_MAX_NUM_ENTRIES rather than return EINVAL. That might be more compatible with user space.. Jason -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html