RDMA/hns: Fix memory corruption when allocating XRCDN

It's incorrect to cast the type of pointer to xrcdn from (u32 *) to
(unsigned long *), then pass it into hns_roce_bitmap_alloc(), this will
lead to a memory corruption.

Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
Link: https://lore.kernel.org/r/1616381069-51759-1-git-send-email-liweihang@huawei.com
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Weihang Li <liweihang@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/hw/hns/hns_roce_pd.c b/drivers/infiniband/hw/hns/hns_roce_pd.c
index 3ca51ce..a5813bf 100644 (file)
--- a/drivers/infiniband/hw/hns/hns_roce_pd.c
+++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
@@ -140,8 +140,16 @@ void hns_roce_cleanup_uar_table(struct hns_roce_dev *hr_dev)
 
 static int hns_roce_xrcd_alloc(struct hns_roce_dev *hr_dev, u32 *xrcdn)
 {
-       return hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap,
-                                    (unsigned long *)xrcdn);
+       unsigned long obj;
+       int ret;
+
+       ret = hns_roce_bitmap_alloc(&hr_dev->xrcd_bitmap, &obj);
+       if (ret)
+               return ret;
+
+       *xrcdn = obj;
+
+       return 0;
 }
 
 static void hns_roce_xrcd_free(struct hns_roce_dev *hr_dev,