Efct link statistics contain receive_kbyte_count and transmit_kbyte_count values, which are converted into 4-byte words in efct_get_stats(). Result is assigned to a variable of type u64, but the calculations are done in u32, which can lead to integer overflow. Integer overflow is possible because device registers are not necessarily reset regularly, while the issue occurs when the value is over 16 GB, which is realistically achievable. Signed-off-by: Murad Masimov <m.masimov@xxxxxxxxxxxxxxxxx> --- drivers/scsi/elx/efct/efct_xport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/elx/efct/efct_xport.c b/drivers/scsi/elx/efct/efct_xport.c index cf4dced20b8b..048f89bc9553 100644 --- a/drivers/scsi/elx/efct/efct_xport.c +++ b/drivers/scsi/elx/efct/efct_xport.c @@ -830,10 +830,10 @@ efct_get_stats(struct Scsi_Host *shost) stats.stats.link_stats.crc_error_count; /* mbox returns kbyte count so we need to convert to words */ vport->fc_host_stats.tx_words = - stats.stats.host_stats.transmit_kbyte_count * 256; + (u64)stats.stats.host_stats.transmit_kbyte_count * 256; /* mbox returns kbyte count so we need to convert to words */ vport->fc_host_stats.rx_words = - stats.stats.host_stats.receive_kbyte_count * 256; + (u64)stats.stats.host_stats.receive_kbyte_count * 256; vport->fc_host_stats.tx_frames = stats.stats.host_stats.transmit_frame_count; vport->fc_host_stats.rx_frames = -- 2.39.2
