aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband/hw
diff options
context:
space:
mode:
authorRoland Dreier <rolandd@cisco.com>2008-04-17 00:01:13 -0400
committerRoland Dreier <rolandd@cisco.com>2008-04-17 00:01:13 -0400
commitc263ff65d5936113cfcbb8139d34122361e2306e (patch)
tree43d10528af61437b8dba0461f3d75639da3a2dad /drivers/infiniband/hw
parent19773539d6369c54fbb0c870de0c75417b0020d1 (diff)
IB/mthca: Avoid integer overflow when allocating huge ICM table
In mthca_alloc_icm_table(), the number of entries to allocate for the table->icm array is computed by calculating obj_size * nobj and then dividing by MTHCA_TABLE_CHUNK_SIZE. If nobj is really large, then obj_size * nobj may overflow and the division may get the wrong value (even a negative value). Fix this by calculating the number of objects per chunk and then dividing nobj by this value instead. This patch allows crazy configurations such as loading ib_mthca with the module parameter num_mtt=33554432 to work properly. Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw')
-rw-r--r--drivers/infiniband/hw/mthca/mthca_memfree.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c
index d7d502dd741e..b224079d4e1f 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -359,12 +359,14 @@ struct mthca_icm_table *mthca_alloc_icm_table(struct mthca_dev *dev,
359 int use_lowmem, int use_coherent) 359 int use_lowmem, int use_coherent)
360{ 360{
361 struct mthca_icm_table *table; 361 struct mthca_icm_table *table;
362 int obj_per_chunk;
362 int num_icm; 363 int num_icm;
363 unsigned chunk_size; 364 unsigned chunk_size;
364 int i; 365 int i;
365 u8 status; 366 u8 status;
366 367
367 num_icm = (obj_size * nobj + MTHCA_TABLE_CHUNK_SIZE - 1) / MTHCA_TABLE_CHUNK_SIZE; 368 obj_per_chunk = MTHCA_TABLE_CHUNK_SIZE / obj_size;
369 num_icm = DIV_ROUND_UP(nobj, obj_per_chunk);
368 370
369 table = kmalloc(sizeof *table + num_icm * sizeof *table->icm, GFP_KERNEL); 371 table = kmalloc(sizeof *table + num_icm * sizeof *table->icm, GFP_KERNEL);
370 if (!table) 372 if (!table)