From: Sebastian Sanchez <sebastian.sanchez@xxxxxxxxx> The driver crashes when loaded with parameter rcvhdrcnt=2097152. The root cause was that rcvhdrcnt was initially a 32 bit variable and its value was assigned to a 16 bit variable, truncating the upper 16 bits. This patch prevents the user from passing a value for rcvhdrcnt greater than 16352 (Maximum number for rcvhdrcnt). Reviewed-by: Dean Luick <dean.luick@xxxxxxxxx> Reviewed-by: Mitko Haralanov <mitko.haralanov@xxxxxxxxx> Signed-off-by: Sebastian Sanchez <sebastian.sanchez@xxxxxxxxx> Signed-off-by: Jubin John <jubin.john@xxxxxxxxx> --- drivers/staging/rdma/hfi1/init.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/drivers/staging/rdma/hfi1/init.c b/drivers/staging/rdma/hfi1/init.c index 6ddf3c8..eec9130 100644 --- a/drivers/staging/rdma/hfi1/init.c +++ b/drivers/staging/rdma/hfi1/init.c @@ -77,6 +77,7 @@ #define HFI1_MIN_USER_CTXT_BUFCNT 7 #define HFI1_MIN_HDRQ_EGRBUF_CNT 2 +#define HFI1_MAX_HDRQ_EGRBUF_CNT 16352 #define HFI1_MIN_EAGER_BUFFER_SIZE (4 * 1024) /* 4KB */ #define HFI1_MAX_EAGER_BUFFER_SIZE (256 * 1024) /* 256KB */ @@ -1355,6 +1356,13 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent) ret = -EINVAL; goto bail; } + if (rcvhdrcnt > HFI1_MAX_HDRQ_EGRBUF_CNT) { + hfi1_early_err(&pdev->dev, + "Receive header queue count cannot be greater than %u\n", + HFI1_MAX_HDRQ_EGRBUF_CNT); + ret = -EINVAL; + goto bail; + } /* use the encoding function as a sanitization check */ if (!encode_rcv_header_entry_size(hfi1_hdrq_entsize)) { hfi1_early_err(&pdev->dev, "Invalid HdrQ Entry size %u\n", -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html