From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 19 May 2020 16:32:23 +0300
Subject: RDMA/rtrs: Fix some signedness bugs in error handling
Patch-mainline: v5.8-rc1
Git-commit: b386cd65d961e29710ef6ad84bc788f0a7e9d64e
References: jsc#SLE-15176
The problem is that "req->sg_cnt" is an unsigned int so if "nr" is
negative, it gets type promoted to a high positive value and the condition
is false. This patch fixes it by handling negatives separately.
Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
Link: https://lore.kernel.org/r/20200519133223.GN2078@kadam
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 7 +++----
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
2 files changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -1047,11 +1047,10 @@ static int rtrs_map_sg_fr(struct rtrs_cl
/* Align the MR to a 4K page size to match the block virt boundary */
nr = ib_map_mr_sg(req->mr, req->sglist, count, NULL, SZ_4K);
- if (unlikely(nr < req->sg_cnt)) {
- if (nr < 0)
- return nr;
+ if (nr < 0)
+ return nr;
+ if (unlikely(nr < req->sg_cnt))
return -EINVAL;
- }
ib_update_fast_reg_key(req->mr, ib_inc_rkey(req->mr->rkey));
return nr;
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -649,7 +649,7 @@ static int map_cont_bufs(struct rtrs_srv
}
nr = ib_map_mr_sg(mr, sgt->sgl, sgt->nents,
NULL, max_chunk_size);
- if (nr < sgt->nents) {
+ if (nr < 0 || nr < sgt->nents) {
err = nr < 0 ? nr : -EINVAL;
goto dereg_mr;
}