aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband/hw/mthca
diff options
context:
space:
mode:
authorRoland Dreier <rolandd@cisco.com>2008-04-16 21:01:13 -0700
committerRoland Dreier <rolandd@cisco.com>2008-04-16 21:01:13 -0700
commitc263ff65d5936113cfcbb8139d34122361e2306e (patch)
tree43d10528af61437b8dba0461f3d75639da3a2dad /drivers/infiniband/hw/mthca
parent19773539d6369c54fbb0c870de0c75417b0020d1 (diff)
downloadkernel_samsung_smdk4412-c263ff65d5936113cfcbb8139d34122361e2306e.tar.gz
kernel_samsung_smdk4412-c263ff65d5936113cfcbb8139d34122361e2306e.tar.bz2
kernel_samsung_smdk4412-c263ff65d5936113cfcbb8139d34122361e2306e.zip
IB/mthca: Avoid integer overflow when allocating huge ICM table
In mthca_alloc_icm_table(), the number of entries to allocate for the table->icm array is computed by calculating obj_size * nobj and then dividing by MTHCA_TABLE_CHUNK_SIZE. If nobj is really large, then obj_size * nobj may overflow and the division may get the wrong value (even a negative value). Fix this by calculating the number of objects per chunk and then dividing nobj by this value instead. This patch allows crazy configurations such as loading ib_mthca with the module parameter num_mtt=33554432 to work properly. Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/mthca')
-rw-r--r--drivers/infiniband/hw/mthca/mthca_memfree.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c
index d7d502dd741..b224079d4e1 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -359,12 +359,14 @@ struct mthca_icm_table *mthca_alloc_icm_table(struct mthca_dev *dev,
int use_lowmem, int use_coherent)
{
struct mthca_icm_table *table;
+ int obj_per_chunk;
int num_icm;
unsigned chunk_size;
int i;
u8 status;
- num_icm = (obj_size * nobj + MTHCA_TABLE_CHUNK_SIZE - 1) / MTHCA_TABLE_CHUNK_SIZE;
+ obj_per_chunk = MTHCA_TABLE_CHUNK_SIZE / obj_size;
+ num_icm = DIV_ROUND_UP(nobj, obj_per_chunk);
table = kmalloc(sizeof *table + num_icm * sizeof *table->icm, GFP_KERNEL);
if (!table)