Use array_size to protect against multiplication overflows.
The changes were done using the following Coccinelle semantic patch:
// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@
(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
---
drivers/infiniband/sw/siw/siw_qp.c | 4 ++--
drivers/infiniband/sw/siw/siw_verbs.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c
index 81e9bbd9ebda..32ec85af0314 100644
--- a/drivers/infiniband/sw/siw/siw_qp.c
+++ b/drivers/infiniband/sw/siw/siw_qp.c
@@ -204,7 +204,7 @@ static int siw_qp_readq_init(struct siw_qp *qp, int irq_size, int orq_size)
{
if (irq_size) {
irq_size = roundup_pow_of_two(irq_size);
- qp->irq = vzalloc(irq_size * sizeof(struct siw_sqe));
+ qp->irq = vzalloc(array_size(irq_size, sizeof(struct siw_sqe)));
if (!qp->irq) {
qp->attrs.irq_size = 0;
return -ENOMEM;
@@ -212,7 +212,7 @@ static int siw_qp_readq_init(struct siw_qp *qp, int irq_size, int orq_size)
}
if (orq_size) {
orq_size = roundup_pow_of_two(orq_size);
- qp->orq = vzalloc(orq_size * sizeof(struct siw_sqe));
+ qp->orq = vzalloc(array_size(orq_size, sizeof(struct siw_sqe)));
if (!qp->orq) {
qp->attrs.orq_size = 0;
qp->attrs.irq_size = 0;
diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
index 398ec13db624..ddf83b638cb0 100644
--- a/drivers/infiniband/sw/siw/siw_verbs.c
+++ b/drivers/infiniband/sw/siw/siw_verbs.c
@@ -381,7 +381,7 @@ int siw_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
if (udata)
qp->sendq = vmalloc_user(num_sqe * sizeof(struct siw_sqe));
else
- qp->sendq = vzalloc(num_sqe * sizeof(struct siw_sqe));
+ qp->sendq = vzalloc(array_size(num_sqe, sizeof(struct siw_sqe)));
if (qp->sendq == NULL) {
rv = -ENOMEM;
@@ -414,7 +414,7 @@ int siw_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
qp->recvq =
vmalloc_user(num_rqe * sizeof(struct siw_rqe));
else
- qp->recvq = vzalloc(num_rqe * sizeof(struct siw_rqe));
+ qp->recvq = vzalloc(array_size(num_rqe, sizeof(struct siw_rqe)));
if (qp->recvq == NULL) {
rv = -ENOMEM;
@@ -1624,7 +1624,7 @@ int siw_create_srq(struct ib_srq *base_srq,
srq->recvq =
vmalloc_user(srq->num_rqe * sizeof(struct siw_rqe));
else
- srq->recvq = vzalloc(srq->num_rqe * sizeof(struct siw_rqe));
+ srq->recvq = vzalloc(array_size(srq->num_rqe, sizeof(struct siw_rqe)));
if (srq->recvq == NULL) {
rv = -ENOMEM;
> -----Original Message-----
> From: Julia Lawall <[email protected]>
> Sent: Friday, 23 June 2023 23:15
> To: Bernard Metzler <[email protected]>
> Cc: [email protected]; [email protected]; Jason Gunthorpe
> <[email protected]>; Leon Romanovsky <[email protected]>; linux-
> [email protected]; [email protected]
> Subject: [EXTERNAL] [PATCH 14/26] RDMA/siw: use array_size
>
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/infiniband/sw/siw/siw_qp.c | 4 ++--
> drivers/infiniband/sw/siw/siw_verbs.c | 6 +++---
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/sw/siw/siw_qp.c
> b/drivers/infiniband/sw/siw/siw_qp.c
> index 81e9bbd9ebda..32ec85af0314 100644
> --- a/drivers/infiniband/sw/siw/siw_qp.c
> +++ b/drivers/infiniband/sw/siw/siw_qp.c
> @@ -204,7 +204,7 @@ static int siw_qp_readq_init(struct siw_qp *qp, int
> irq_size, int orq_size)
> {
> if (irq_size) {
> irq_size = roundup_pow_of_two(irq_size);
> - qp->irq = vzalloc(irq_size * sizeof(struct siw_sqe));
> + qp->irq = vzalloc(array_size(irq_size, sizeof(struct siw_sqe)));
> if (!qp->irq) {
> qp->attrs.irq_size = 0;
> return -ENOMEM;
> @@ -212,7 +212,7 @@ static int siw_qp_readq_init(struct siw_qp *qp, int
> irq_size, int orq_size)
> }
> if (orq_size) {
> orq_size = roundup_pow_of_two(orq_size);
> - qp->orq = vzalloc(orq_size * sizeof(struct siw_sqe));
> + qp->orq = vzalloc(array_size(orq_size, sizeof(struct siw_sqe)));
> if (!qp->orq) {
> qp->attrs.orq_size = 0;
> qp->attrs.irq_size = 0;
> diff --git a/drivers/infiniband/sw/siw/siw_verbs.c
> b/drivers/infiniband/sw/siw/siw_verbs.c
> index 398ec13db624..ddf83b638cb0 100644
> --- a/drivers/infiniband/sw/siw/siw_verbs.c
> +++ b/drivers/infiniband/sw/siw/siw_verbs.c
> @@ -381,7 +381,7 @@ int siw_create_qp(struct ib_qp *ibqp, struct
> ib_qp_init_attr *attrs,
> if (udata)
> qp->sendq = vmalloc_user(num_sqe * sizeof(struct siw_sqe));
> else
> - qp->sendq = vzalloc(num_sqe * sizeof(struct siw_sqe));
> + qp->sendq = vzalloc(array_size(num_sqe, sizeof(struct
> siw_sqe)));
>
> if (qp->sendq == NULL) {
> rv = -ENOMEM;
> @@ -414,7 +414,7 @@ int siw_create_qp(struct ib_qp *ibqp, struct
> ib_qp_init_attr *attrs,
> qp->recvq =
> vmalloc_user(num_rqe * sizeof(struct siw_rqe));
> else
> - qp->recvq = vzalloc(num_rqe * sizeof(struct siw_rqe));
> + qp->recvq = vzalloc(array_size(num_rqe, sizeof(struct
> siw_rqe)));
>
> if (qp->recvq == NULL) {
> rv = -ENOMEM;
> @@ -1624,7 +1624,7 @@ int siw_create_srq(struct ib_srq *base_srq,
> srq->recvq =
> vmalloc_user(srq->num_rqe * sizeof(struct siw_rqe));
> else
> - srq->recvq = vzalloc(srq->num_rqe * sizeof(struct siw_rqe));
> + srq->recvq = vzalloc(array_size(srq->num_rqe, sizeof(struct
> siw_rqe)));
>
> if (srq->recvq == NULL) {
> rv = -ENOMEM;
lgtm!
Reviewed-by: Bernard Metzler <[email protected]>