RDMA/mlx5: Prevent overflow in mmap offset calculations

The cmd and index variables declared as u16 and the result is supposed to
be stored in u64. The C arithmetic rules doesn't promote "(index >> 8) <<
16" to be u64 and leaves the end result to be u16.

Fixes: 7be76bef320b ("IB/mlx5: Introduce VAR object and its alloc/destroy methods")
Link: https://lore.kernel.org/r/20200212072635.682689-10-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index e874d688d040d69eac94c1d680d3f8eb81d422f1..987bfdcd12a5b79dd8c681f947bf38f50c2e6258 100644 (file)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -2283,8 +2283,8 @@ static int mlx5_ib_mmap_offset(struct mlx5_ib_dev *dev,
 
 static u64 mlx5_entry_to_mmap_offset(struct mlx5_user_mmap_entry *entry)
 {
-       u16 cmd = entry->rdma_entry.start_pgoff >> 16;
-       u16 index = entry->rdma_entry.start_pgoff & 0xFFFF;
+       u64 cmd = (entry->rdma_entry.start_pgoff >> 16) & 0xFFFF;
+       u64 index = entry->rdma_entry.start_pgoff & 0xFFFF;
 
        return (((index >> 8) << 16) | (cmd << MLX5_IB_MMAP_CMD_SHIFT) |
                (index & 0xFF)) << PAGE_SHIFT;