From: Leon Romanovsky <leonro@mellanox.com>
Date: Wed, 7 Mar 2018 13:29:09 +0000 (+0200)
Subject: RDMA/mlx5: Fix integer overflow while resizing CQ
X-Git-Tag: v4.1.51~47
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fc0be83edd94e31303a8b1b89b4d624a8b99c28f;p=platform%2Fkernel%2Flinux-exynos.git

RDMA/mlx5: Fix integer overflow while resizing CQ

[ Upstream commit aa0de36a40f446f5a21a7c1e677b98206e242edb ]

The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:

Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---

diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
index 2ee6b1051975..ca920c633f25 100644
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -959,7 +959,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
 	if (ucmd.reserved0 || ucmd.reserved1)
 		return -EINVAL;
 
-	umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+	/* check multiplication overflow */
+	if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+		return -EINVAL;
+
+	umem = ib_umem_get(context, ucmd.buf_addr,
+			   (size_t)ucmd.cqe_size * entries,
 			   IB_ACCESS_LOCAL_WRITE, 1);
 	if (IS_ERR(umem)) {
 		err = PTR_ERR(umem);