In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqesize * cmd.wrcount", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbsrequestnextptr() which also could potentially wrap. The "cmd.sgecount * sizeof(struct ibuverbssge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems. This patch does two things. First, I've re-arranged the condition in uverbsrequestnextptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use sizemul() for the multiplications.