On 18/06/2019 21:48, Jason Gunthorpe wrote:
> On Tue, Jun 18, 2019 at 04:07:32PM +0300, Gal Pressman wrote:
>> When inserting a new mmap entry to the xarray we should check for
>> 'mmap_page' overflow as it is limited to 32 bits.
>>
>> Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
>> Signed-off-by: Gal Pressman <galpress@xxxxxxxxxx>
>> Changelog:
>> v1->v2
>> * Bring back the ucontext->mmap_xa_page assignment before __xa_insert
>> drivers/infiniband/hw/efa/efa_verbs.c | 21 ++++++++++++++++-----
>> 1 file changed, 16 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
>> index 0fea5d63fdbe..fb6115244d4c 100644
>> +++ b/drivers/infiniband/hw/efa/efa_verbs.c
>> @@ -204,6 +204,7 @@ static u64 mmap_entry_insert(struct efa_dev *dev, struct efa_ucontext *ucontext,
>> void *obj, u64 address, u64 length, u8 mmap_flag)
>> {
>> struct efa_mmap_entry *entry;
>> + u32 next_mmap_page;
>> int err;
>>
>> entry = kmalloc(sizeof(*entry), GFP_KERNEL);
>> @@ -216,15 +217,19 @@ static u64 mmap_entry_insert(struct efa_dev *dev, struct efa_ucontext *ucontext,
>> entry->mmap_flag = mmap_flag;
>>
>> xa_lock(&ucontext->mmap_xa);
>> + if (check_add_overflow(ucontext->mmap_xa_page,
>> + (u32)(length >> PAGE_SHIFT),
>> + &next_mmap_page))
>> + goto err_unlock;
>> +
>> entry->mmap_page = ucontext->mmap_xa_page;
>> - ucontext->mmap_xa_page += DIV_ROUND_UP(length, PAGE_SIZE);
>
> Why did DIV_ROUND_UP become >> ?
Since length is guaranteed to be a multiple of PAGE_SIZE.
