From b386cd65d961e29710ef6ad84bc788f0a7e9d64e Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 19 May 2020 16:32:23 +0300 Subject: [PATCH] RDMA/rtrs: Fix some signedness bugs in error handling The problem is that "req->sg_cnt" is an unsigned int so if "nr" is negative, it gets type promoted to a high positive value and the condition is false. This patch fixes it by handling negatives separately. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Link: https://lore.kernel.org/r/20200519133223.GN2078@kadam Signed-off-by: Dan Carpenter Reviewed-by: Jack Wang Signed-off-by: Jason Gunthorpe --- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 7 +++---- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c index 468fdd0d8713..96cba06e8ba7 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c @@ -1047,11 +1047,10 @@ static int rtrs_map_sg_fr(struct rtrs_clt_io_req *req, size_t count) /* Align the MR to a 4K page size to match the block virt boundary */ nr = ib_map_mr_sg(req->mr, req->sglist, count, NULL, SZ_4K); - if (unlikely(nr < req->sg_cnt)) { - if (nr < 0) - return nr; + if (nr < 0) + return nr; + if (unlikely(nr < req->sg_cnt)) return -EINVAL; - } ib_update_fast_reg_key(req->mr, ib_inc_rkey(req->mr->rkey)); return nr; diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c index ba8ab33b94a2..eefd149ce7a4 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c @@ -649,7 +649,7 @@ static int map_cont_bufs(struct rtrs_srv_sess *sess) } nr = ib_map_mr_sg(mr, sgt->sgl, sgt->nents, NULL, max_chunk_size); - if (nr < sgt->nents) { + if (nr < 0 || nr < sgt->nents) { err = nr < 0 ? nr : -EINVAL; goto dereg_mr; }