[bug report] IB/hfi1: Rework fault injection machinery

[Dan Carpenter <dan.carpenter@xxxxxxxxxx>]

Hello Mitko Haralanov,

The patch a74d5307caba: "IB/hfi1: Rework fault injection machinery"
from May 2, 2018, leads to the following static checker warning:

	drivers/infiniband/hw/hfi1/fault.c:183 fault_opcodes_write()
	error: passing untrusted data 'i' to 'clear_bit()'

drivers/infiniband/hw/hfi1/fault.c
   144          if (copy_from_user(data, buf, copy))
   145                  return -EFAULT;
   146  
   147          ret = debugfs_file_get(file->f_path.dentry);
   148          if (unlikely(ret))
   149                  return ret;
   150          ptr = data;
   151          token = ptr;
   152          for (ptr = data; *ptr; ptr = end + 1, token = ptr) {
   153                  char *dash;
   154                  unsigned long range_start, range_end, i;
   155                  bool remove = false;
   156  
   157                  end = strchr(ptr, ',');
   158                  if (end)
   159                          *end = '\0';
   160                  if (token[0] == '-') {
   161                          remove = true;
   162                          token++;
   163                  }
   164                  dash = strchr(token, '-');
   165                  if (dash)
   166                          *dash = '\0';
   167                  if (kstrtoul(token, 0, &range_start))
                                               ^^^^^^^^^^^^
Smatch marks this as untrusted

   168                          break;
   169                  if (dash) {
   170                          token = dash + 1;
   171                          if (kstrtoul(token, 0, &range_end))
                                                       ^^^^^^^^^^
and this also

   172                                  break;
   173                  } else {
   174                          range_end = range_start;
   175                  }
   176                  if (range_start == range_end && range_start == -1UL) {
   177                          bitmap_zero(fault->opcodes, sizeof(fault->opcodes) *
   178                                      BITS_PER_BYTE);
   179                          break;
   180                  }
   181                  for (i = range_start; i <= range_end; i++) {
   182                          if (remove)
   183                                  clear_bit(i, fault->opcodes);
                                                  ^
   184                          else
   185                                  set_bit(i, fault->opcodes);
                                                ^

Smatch complains that "i" can be beyond the end of bitmap.

   186                  }
   187                  if (!end)
   188                          break;

regards,
dan carpenter