svn commit: r341919 - stable/12/sys/dev/mlx5/mlx5_ib
Hans Petter Selasky
hselasky at FreeBSD.org
Wed Dec 12 12:00:35 UTC 2018
Author: hselasky
Date: Wed Dec 12 12:00:34 2018
New Revision: 341919
URL: https://svnweb.freebsd.org/changeset/base/341919
Log:
MFC r341553:
mlx5: Fix integer overflow while resizing CQ
The user can provide very large cqe_size which will cause to integer
overflow.
Linux commit:
28e9091e3119933c38933cb8fc48d5618eb784c8
Sponsored by: Mellanox Technologies
Modified:
stable/12/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c
==============================================================================
--- stable/12/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 12 11:57:27 2018 (r341918)
+++ stable/12/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 12 12:00:34 2018 (r341919)
@@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct
if (ucmd.reserved0 || ucmd.reserved1)
return -EINVAL;
- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+ /* check multiplication overflow */
+ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+ return -EINVAL;
+
+ umem = ib_umem_get(context, ucmd.buf_addr,
+ (size_t)ucmd.cqe_size * entries,
IB_ACCESS_LOCAL_WRITE, 1);
if (IS_ERR(umem)) {
err = PTR_ERR(umem);
More information about the svn-src-stable-12
mailing list