Re: [PATCH rdma-next 2/2] RDMA/mlx5: Fix integer overflow of user QP buffer size

Next message: Arnd Bergmann: "Re: [PATCH 1/2] ASoC: SOF: Intel: select SND_SOC_SDW_UTILS=y from SND_SOC_SOF_HDA_GENERIC=y"
Previous message: Matthew Wilcox: "Re: [RFC V2 0/3] lib/vsprintf: Add support for pgtable entries"
In reply to: Edward Srouji: "[PATCH rdma-next 2/2] RDMA/mlx5: Fix integer overflow of user QP buffer size"
Next in thread: Edward Srouji: "Re: [PATCH rdma-next 2/2] RDMA/mlx5: Fix integer overflow of user QP buffer size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Thu Jun 11 2026 - 15:17:42 EST

On Thu, Jun 11, 2026 at 03:50:43PM +0300, Edward Srouji wrote:
> @@ -664,11 +666,36 @@ static int set_user_buf_size(struct mlx5_ib_dev *dev,
>
> if (attr->qp_type == IB_QPT_RAW_PACKET ||
> qp->flags & IB_QP_CREATE_SOURCE_QPN) {
> - base->ubuffer.buf_size = qp->rq.wqe_cnt << qp->rq.wqe_shift;
> - qp->raw_packet_qp.sq.ubuffer.buf_size = qp->sq.wqe_cnt << 6;
> + if (check_shl_overflow(qp->rq.wqe_cnt, qp->rq.wqe_shift,
> + &base->ubuffer.buf_size)) {
> + mlx5_ib_warn(dev, "rq buf size overflow: wqe_cnt %d wqe_shift %d\n",
> + qp->rq.wqe_cnt, qp->rq.wqe_shift);
> + return -EINVAL;

No prints triggerable by uapi.

Jason