cgroup/rdma: fix integer overflow in rdmacg_try_charge()

The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.

Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.

Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
Signed-off-by: cuitao <cuitao@kylinos.cn>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index 9967fb25c56343b24bd33c1a3aa5332a92ab8d1d..4fdab4cf49e0f2b47109309fdd46df9b6e22d1dd 100644 (file)
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -283,7 +283,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
                        ret = PTR_ERR(rpool);
                        goto err;
                } else {
-                       new = rpool->resources[index].usage + 1;
+                       new = (s64)rpool->resources[index].usage + 1;
                        if (new > rpool->resources[index].max) {
                                ret = -EAGAIN;
                                goto err;