summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Bloch <markb@mellanox.com>2016-10-27 16:36:31 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-11-26 09:56:58 +0100
commit46e47543175b6784b02f7b587ef83b44fd2c8f7d (patch)
treebf801c2e882a26fce8afeef1a1b063c603a0a738
parent82c377d0531156d30e6d26c3eb13122e8c1c8677 (diff)
IB/core: Avoid unsigned int overflow in sg_alloc_table
commit 3c7ba5760ab8eedec01159b267bb9bfcffe522ac upstream. sg_alloc_table gets unsigned int as parameter while the driver returns it as size_t. Check npages isn't greater than maximum unsigned int. Fixes: eeb8461e36c9 ("IB: Refactor umem to use linear SG table") Signed-off-by: Mark Bloch <markb@mellanox.com> Signed-off-by: Maor Gottlieb <maorg@mellanox.com> Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/infiniband/core/umem.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index c68746ce6624..bdab61d9103c 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -174,7 +174,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
cur_base = addr & PAGE_MASK;
- if (npages == 0) {
+ if (npages == 0 || npages > UINT_MAX) {
ret = -EINVAL;
goto out;
}