diff options
author | Mark Bloch <markb@mellanox.com> | 2016-10-27 16:36:31 +0300 |
---|---|---|
committer | Doug Ledford <dledford@redhat.com> | 2016-11-16 20:03:44 -0500 |
commit | 3c7ba5760ab8eedec01159b267bb9bfcffe522ac (patch) | |
tree | 36e6c1ab64e36f899718b69ce3b6b989c2c13bf1 /drivers | |
parent | 61c3702863be9e9f1ef12ed5a5b17bae6cdfac0b (diff) |
IB/core: Avoid unsigned int overflow in sg_alloc_table
sg_alloc_table gets unsigned int as parameter while the driver
returns it as size_t. Check npages isn't greater than maximum
unsigned int.
Fixes: eeb8461e36c9 ("IB: Refactor umem to use linear SG table")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/infiniband/core/umem.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c index 224ad274ea0b..84b4eff90395 100644 --- a/drivers/infiniband/core/umem.c +++ b/drivers/infiniband/core/umem.c @@ -175,7 +175,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, cur_base = addr & PAGE_MASK; - if (npages == 0) { + if (npages == 0 || npages > UINT_MAX) { ret = -EINVAL; goto out; } |