IB/core: Avoid unsigned int overflow in sg_alloc_table

mark-bloch · gregkh · commit eba83a85caba · 2016-11-26T09:54:54.000+01:00
commit 3c7ba5760ab8eedec01159b267bb9bfcffe522ac upstream. sg_alloc_table gets unsigned int as parameter while the driver returns it as size_t. Check npages isn't greater than maximum unsigned int. Fixes: eeb8461 ("IB: Refactor umem to use linear SG table") Signed-off-by: Mark Bloch <markb@mellanox.com> Signed-off-by: Maor Gottlieb <maorg@mellanox.com> Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
@@ -175,7 +175,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 
 	cur_base = addr & PAGE_MASK;
 
-	if (npages == 0) {
+	if (npages == 0 || npages > UINT_MAX) {
 		ret = -EINVAL;
 		goto out;
 	}

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,7 @@ struct ib_umem ib_umem_get(struct ib_ucontext context, unsigned long addr,`
`175`	`175`
`176`	`176`	`cur_base = addr & PAGE_MASK;`
`177`	`177`
`178`		`- if (npages == 0) {`
	`178`	`+ if (npages == 0 \|\| npages > UINT_MAX) {`
`179`	`179`	`ret = -EINVAL;`
`180`	`180`	`goto out;`
`181`	`181`	`}`