On Sat, 30 Nov 2024 13:06:41 +0300, Dan Carpenter wrote: > In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 > values that come from the user so the multiplication can lead to integer > wrapping. Then we pass the result to uverbs_request_next_ptr() which also > could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" > multiplication can also overflow on 32bit systems although it's fine on > 64bit systems. > > [...] Applied, thanks! [1/1] RDMA/uverbs: Prevent integer overflow issue https://git.kernel.org/rdma/rdma/c/d0257e089d1bbd Best regards, -- Leon Romanovsky <leon@xxxxxxxxxx>