From 859976da0307618d1169616f9cb03936716106eb Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 12 Aug 2014 19:20:04 -0400 Subject: [PATCH] RDMA/amso1100: Check for integer overflow in c2_alloc_cq_buf() This is a static checker fix. The static checker says that q_size comes from the user and can be any 32 bit value. The call tree is: --> ib_uverbs_create_cq() --> c2_create_cq() --> c2_init_cq() Signed-off-by: Dan Carpenter Signed-off-by: Doug Ledford Signed-off-by: Roland Dreier --- drivers/infiniband/hw/amso1100/c2_cq.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/hw/amso1100/c2_cq.c b/drivers/infiniband/hw/amso1100/c2_cq.c index 49e0e8533f74..1b63185b4ad4 100644 --- a/drivers/infiniband/hw/amso1100/c2_cq.c +++ b/drivers/infiniband/hw/amso1100/c2_cq.c @@ -260,11 +260,14 @@ static void c2_free_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq) mq->msg_pool.host, dma_unmap_addr(mq, mapping)); } -static int c2_alloc_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq, int q_size, - int msg_size) +static int c2_alloc_cq_buf(struct c2_dev *c2dev, struct c2_mq *mq, + size_t q_size, size_t msg_size) { u8 *pool_start; + if (q_size > SIZE_MAX / msg_size) + return -EINVAL; + pool_start = dma_alloc_coherent(&c2dev->pcidev->dev, q_size * msg_size, &mq->host_dma, GFP_KERNEL); if (!pool_start) -- 2.34.1