RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()

The ucmd->log_sq_bb_count variable is controlled by the user so this
shift can wrap.  Fix it by using check_shl_overflow() in the same way
that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined
behavior in hns_roce_set_user_sq_size()").

Fixes: 839041329fd3 ("IB/mlx4: Sanity check userspace send queue sizes")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/a8dfbd1d-c019-4556-930b-bab1ded73b10@kili.mountain
Signed-off-by: Leon Romanovsky <leon@kernel.org>

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 884825b2e5f777fd81d1da463f061423c80d4031..456656617c33f280530487aebf0d669cc05e7597 100644 (file)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -447,9 +447,13 @@ static int set_user_sq_size(struct mlx4_ib_dev *dev,
                            struct mlx4_ib_qp *qp,
                            struct mlx4_ib_create_qp *ucmd)
 {
+       u32 cnt;
+
        /* Sanity check SQ size before proceeding */
-       if ((1 << ucmd->log_sq_bb_count) > dev->dev->caps.max_wqes       ||
-           ucmd->log_sq_stride >
+       if (check_shl_overflow(1, ucmd->log_sq_bb_count, &cnt) ||
+           cnt > dev->dev->caps.max_wqes)
+               return -EINVAL;
+       if (ucmd->log_sq_stride >
                ilog2(roundup_pow_of_two(dev->dev->caps.max_sq_desc_sz)) ||
            ucmd->log_sq_stride < MLX4_IB_MIN_SQ_STRIDE)
                return -EINVAL;