IB/hfi1: Validate the TID count before using it

Improve the safety of the code by validating the user supplied
tidcnt before use.

Reviewed-by: Mitko Haralanov <mitko.haralanov@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>

diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 002214eef47227a6cf5c10baad720a6092801170..35c6e7ec8ad6beb311b9e8177a09c40ff82b351d 100644 (file)
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -579,6 +579,9 @@ int hfi1_user_exp_rcv_clear(struct file *fp, struct hfi1_tid_info *tinfo)
        u32 *tidinfo;
        unsigned tididx;
 
+       if (unlikely(tinfo->tidcnt > fd->tid_used))
+               return -EINVAL;
+
        tidinfo = memdup_user((void __user *)(unsigned long)tinfo->tidlist,
                              sizeof(tidinfo[0]) * tinfo->tidcnt);
        if (IS_ERR(tidinfo))