> > 46 > > 47 cq->cqe = attr->cqe; > > --> 48 err = mana_ib_create_queue(mdev, ucmd.buf_addr, cq->cqe * > COMP_ENTRY_SIZE, > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > This can lead to integer wrapping. > > > > The call tree is: > > > > ib_uverbs_create_cq() <- copies cmd.cqe from the user > > -> create_cq() calls (struct ib_device_ops)->create_cq() > > -> mana_ib_create_cq() > > > > I'm not sure if this integer overflow has any negative effects. I > > think it's probably fine? > > It is not nice and worth to be fixed, but technically it looks like size (cq->cqe * > COMP_ENTRY_SIZE) is used to get UMEM memory, so we will allocate less > than driver would like to. > > Thanks Thanks. I totally agree. I have already prepared a patch. Once it passes internal tests (in 4 hours), I will send it. - Konstantin
