Commit c802f460 authored Apr 14, 2026 by cuitao Committed by Tejun Heo Apr 17, 2026

cgroup/rdma: fix integer overflow in rdmacg_try_charge()



The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.

Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.

Fixes: 39d3e758 ("rdmacg: Added rdma cgroup controller")
Signed-off-by: cuitao <cuitao@kylinos.cn>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

parent a5b98009

kernel/cgroup/rdma.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -283,7 +283,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
		ret = PTR_ERR(rpool);
		goto err;
		} else {
		new = rpool->resources[index].usage + 1;
		new = (s64)rpool->resources[index].usage + 1;
		if (new > rpool->resources[index].max) {
		ret = -EAGAIN;
		goto err;