diff options
| author | Gustavo A. R. Silva <gustavoars@kernel.org> | 2023-09-17 15:21:36 -0600 |
|---|---|---|
| committer | Leon Romanovsky <leon@kernel.org> | 2023-09-19 10:33:45 +0300 |
| commit | 81760bedc65194ff38e1e4faefd5f9f0c95c19a4 (patch) | |
| tree | d92360dcda24c6cb5eb4428626fc78c126abd26a /drivers/infiniband/core/user_mad.c | |
| parent | 4ececeb839868ad235515f5bb332530f2ac11253 (diff) | |
RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` provides against potential integer
overflows is defeated. Fix this by hardening calls to `struct_size()`
with `size_add()`, `size_sub()` and `size_mul()`.
Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes")
Fixes: a4676388e2e2 ("RDMA/core: Simplify how the gid_attrs sysfs is created")
Fixes: e9dd5daf884c ("IB/umad: Refactor code to use cdev_device_add()")
Fixes: 324e227ea7c9 ("RDMA/device: Add ib_device_get_by_netdev()")
Fixes: 5aad26a7eac5 ("IB/core: Use struct_size() in kzalloc()")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/ZQdt4NsJFwwOYxUR@work
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Diffstat (limited to 'drivers/infiniband/core/user_mad.c')
| -rw-r--r-- | drivers/infiniband/core/user_mad.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index 7e5c33aad161..f5feca7fa9b9 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -1378,7 +1378,9 @@ static int ib_umad_add_one(struct ib_device *device) s = rdma_start_port(device); e = rdma_end_port(device); - umad_dev = kzalloc(struct_size(umad_dev, ports, e - s + 1), GFP_KERNEL); + umad_dev = kzalloc(struct_size(umad_dev, ports, + size_add(size_sub(e, s), 1)), + GFP_KERNEL); if (!umad_dev) return -ENOMEM; |