From patchwork Thu Oct 7 07:16:10 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 237761 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o977GvK6030164 for ; Thu, 7 Oct 2010 07:16:57 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758023Ab0JGHQ4 (ORCPT ); Thu, 7 Oct 2010 03:16:56 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:34989 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753088Ab0JGHQz (ORCPT ); Thu, 7 Oct 2010 03:16:55 -0400 Received: by wwj40 with SMTP id 40so533267wwj.1 for ; Thu, 07 Oct 2010 00:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=uEPDsupMEZbzhr2agC+x2R44jBB9tJ46lmjDWG/adg0=; b=w3F7Y8iySeLFNFe8MoZn0zzgmGfdkNtYXK2hOnJa0ER88EcmB7CxwdcgiHimzPDIgY LGJrztnlOemQ0706TrRYO0tt7Y2VI1eaPR5kcPJ5IVM0wFiBn/MTsEtcSQddJkeSGY6H S5CPppwUPhmMtnjv3oG0SBLcWIhWPIFJmuwpA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=urq/bmyKqqNp4tSa6hx1V9dKYsGe+UEkvqXPhzoCw35KsZz+6AfpgeNeoDdYpZaGKz MtdeF/2uHMoKior2rY9VgNueL9ad3sEnHaWLlATpz+b6QH9utjqp7LxT89rn9cfgKjwB w+z7YVieQ2HUb84yKwGwQp2sRAqlwLdzJObW4= Received: by 10.227.128.68 with SMTP id j4mr378709wbs.52.1286435784552; Thu, 07 Oct 2010 00:16:24 -0700 (PDT) Received: from bicker (h3f06.n1.ips.mtn.co.ug [41.210.191.6]) by mx.google.com with ESMTPS id e31sm1594734wbe.11.2010.10.07.00.16.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 07 Oct 2010 00:16:21 -0700 (PDT) Date: Thu, 7 Oct 2010 09:16:10 +0200 From: Dan Carpenter To: Roland Dreier Cc: Sean Hefty , Hal Rosenstock , linux-rdma@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] infiniband: uverbs: limit the number of entries Message-ID: <20101007071610.GC11681@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Thu, 07 Oct 2010 07:16:57 +0000 (UTC) diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h --- a/drivers/infiniband/core/uverbs.h +++ b/drivers/infiniband/core/uverbs.h @@ -162,6 +162,7 @@ void ib_uverbs_srq_event_handler(struct ib_event *event, void *context_ptr); void ib_uverbs_event_handler(struct ib_event_handler *handler, struct ib_event *event); +#define UVERBS_MAX_NUM_ENTRIES 1000 #define IB_UVERBS_DECLARE_CMD(name) \ ssize_t ib_uverbs_##name(struct ib_uverbs_file *file, \ const char __user *buf, int in_len, \ diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -906,12 +906,15 @@ ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file, if (copy_from_user(&cmd, buf, sizeof cmd)) return -EFAULT; + if (cmd.ne > UVERBS_MAX_NUM_ENTRIES) + return -EINVAL; + wc = kmalloc(cmd.ne * sizeof *wc, GFP_KERNEL); if (!wc) return -ENOMEM; rsize = sizeof *resp + cmd.ne * sizeof(struct ib_uverbs_wc); - resp = kmalloc(rsize, GFP_KERNEL); + resp = kzalloc(rsize, GFP_KERNEL); if (!resp) { ret = -ENOMEM; goto out_wc;