My static checker says this multiplication can overflow. I'm not an
expert in this code but the call tree would be:
ib_uverbs_handler_UVERBS_METHOD_QP_CREATE() <- reads cap from the user
-> ib_create_qp_user()
-> create_qp()
-> mana_ib_create_qp()
-> mana_ib_create_ud_qp()
-> create_shadow_queue()
It can't hurt to use safer interfaces.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: c8017f5b4856 ("RDMA/mana_ib: UD/GSI work requests")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
There seems to be another integer overflow bug in mana_ib_queue_size() as
well? It's basically the exact same issue. Maybe we could put a cap on
attr->cap.max_send/recv_wr at a lower level. Maybe there already is some
bounds checking that I have missed...
drivers/infiniband/hw/mana/shadow_queue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mana/shadow_queue.h b/drivers/infiniband/hw/mana/shadow_queue.h
index d8bfb4c712d5..a4b3818f9c39 100644
--- a/drivers/infiniband/hw/mana/shadow_queue.h
+++ b/drivers/infiniband/hw/mana/shadow_queue.h
@@ -40,7 +40,7 @@ struct shadow_queue {
static inline int create_shadow_queue(struct shadow_queue *queue, uint32_t length, uint32_t stride)
{
- queue->buffer = kvmalloc(length * stride, GFP_KERNEL);
+ queue->buffer = kvmalloc_array(length, stride, GFP_KERNEL);
if (!queue->buffer)
return -ENOMEM;
--
2.47.2
