From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Huang Shijie <sjhuang@iluvatar.ai>,
Shi Jiasheng <jiasheng.shi@iluvatar.ai>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 03/38] lib/genalloc: fix the overflow when size is too big
Date: Mon, 11 Jan 2021 14:00:35 +0100 [thread overview]
Message-ID: <20210111130032.637689625@linuxfoundation.org> (raw)
In-Reply-To: <20210111130032.469630231@linuxfoundation.org>
From: Huang Shijie <sjhuang@iluvatar.ai>
[ Upstream commit 36845663843fc59c5d794e3dc0641472e3e572da ]
Some graphic card has very big memory on chip, such as 32G bytes.
In the following case, it will cause overflow:
pool = gen_pool_create(PAGE_SHIFT, NUMA_NO_NODE);
ret = gen_pool_add(pool, 0x1000000, SZ_32G, NUMA_NO_NODE);
va = gen_pool_alloc(pool, SZ_4G);
The overflow occurs in gen_pool_alloc_algo_owner():
....
size = nbits << order;
....
The @nbits is "int" type, so it will overflow.
Then the gen_pool_avail() will return the wrong value.
This patch converts some "int" to "unsigned long", and
changes the compare code in while.
Link: https://lkml.kernel.org/r/20201229060657.3389-1-sjhuang@iluvatar.ai
Signed-off-by: Huang Shijie <sjhuang@iluvatar.ai>
Reported-by: Shi Jiasheng <jiasheng.shi@iluvatar.ai>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/genalloc.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/lib/genalloc.c b/lib/genalloc.c
index e3a475b14e260..b8ac0450a2a68 100644
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -83,14 +83,14 @@ static int clear_bits_ll(unsigned long *addr, unsigned long mask_to_clear)
* users set the same bit, one user will return remain bits, otherwise
* return 0.
*/
-static int bitmap_set_ll(unsigned long *map, int start, int nr)
+static int bitmap_set_ll(unsigned long *map, unsigned long start, unsigned long nr)
{
unsigned long *p = map + BIT_WORD(start);
- const int size = start + nr;
+ const unsigned long size = start + nr;
int bits_to_set = BITS_PER_LONG - (start % BITS_PER_LONG);
unsigned long mask_to_set = BITMAP_FIRST_WORD_MASK(start);
- while (nr - bits_to_set >= 0) {
+ while (nr >= bits_to_set) {
if (set_bits_ll(p, mask_to_set))
return nr;
nr -= bits_to_set;
@@ -118,14 +118,15 @@ static int bitmap_set_ll(unsigned long *map, int start, int nr)
* users clear the same bit, one user will return remain bits,
* otherwise return 0.
*/
-static int bitmap_clear_ll(unsigned long *map, int start, int nr)
+static unsigned long
+bitmap_clear_ll(unsigned long *map, unsigned long start, unsigned long nr)
{
unsigned long *p = map + BIT_WORD(start);
- const int size = start + nr;
+ const unsigned long size = start + nr;
int bits_to_clear = BITS_PER_LONG - (start % BITS_PER_LONG);
unsigned long mask_to_clear = BITMAP_FIRST_WORD_MASK(start);
- while (nr - bits_to_clear >= 0) {
+ while (nr >= bits_to_clear) {
if (clear_bits_ll(p, mask_to_clear))
return nr;
nr -= bits_to_clear;
@@ -184,8 +185,8 @@ int gen_pool_add_virt(struct gen_pool *pool, unsigned long virt, phys_addr_t phy
size_t size, int nid)
{
struct gen_pool_chunk *chunk;
- int nbits = size >> pool->min_alloc_order;
- int nbytes = sizeof(struct gen_pool_chunk) +
+ unsigned long nbits = size >> pool->min_alloc_order;
+ unsigned long nbytes = sizeof(struct gen_pool_chunk) +
BITS_TO_LONGS(nbits) * sizeof(long);
chunk = vzalloc_node(nbytes, nid);
@@ -242,7 +243,7 @@ void gen_pool_destroy(struct gen_pool *pool)
struct list_head *_chunk, *_next_chunk;
struct gen_pool_chunk *chunk;
int order = pool->min_alloc_order;
- int bit, end_bit;
+ unsigned long bit, end_bit;
list_for_each_safe(_chunk, _next_chunk, &pool->chunks) {
chunk = list_entry(_chunk, struct gen_pool_chunk, next_chunk);
@@ -274,7 +275,7 @@ unsigned long gen_pool_alloc(struct gen_pool *pool, size_t size)
struct gen_pool_chunk *chunk;
unsigned long addr = 0;
int order = pool->min_alloc_order;
- int nbits, start_bit, end_bit, remain;
+ unsigned long nbits, start_bit, end_bit, remain;
#ifndef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG
BUG_ON(in_nmi());
@@ -357,7 +358,7 @@ void gen_pool_free(struct gen_pool *pool, unsigned long addr, size_t size)
{
struct gen_pool_chunk *chunk;
int order = pool->min_alloc_order;
- int start_bit, nbits, remain;
+ unsigned long start_bit, nbits, remain;
#ifndef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG
BUG_ON(in_nmi());
@@ -553,7 +554,7 @@ unsigned long gen_pool_best_fit(unsigned long *map, unsigned long size,
index = bitmap_find_next_zero_area(map, size, start, nr, 0);
while (index < size) {
- int next_bit = find_next_bit(map, size, index + nr);
+ unsigned long next_bit = find_next_bit(map, size, index + nr);
if ((next_bit - index) < len) {
len = next_bit - index;
start_bit = index;
--
2.27.0
next prev parent reply other threads:[~2021-01-11 13:01 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-11 13:00 [PATCH 4.4 00/38] 4.4.251-rc1 review Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 01/38] kbuild: dont hardcode depmod path Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 02/38] workqueue: Kick a worker based on the actual activation of delayed works Greg Kroah-Hartman
2021-01-11 13:00 ` Greg Kroah-Hartman [this message]
2021-01-11 13:00 ` [PATCH 4.4 04/38] depmod: handle the case of /sbin/depmod without /sbin in PATH Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 05/38] atm: idt77252: call pci_disable_device() on error path Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 06/38] net: dcb: Validate netlink message in DCB handler Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 07/38] ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 08/38] net: hns: fix return value check in __lb_other_process() Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 09/38] net: hdlc_ppp: Fix issues when mod_timer is called while timer is running Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 10/38] CDC-NCM: remove "connected" log message Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 11/38] vhost_net: fix ubuf refcount incorrectly when sendmsg fails Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 12/38] net: sched: prevent invalid Scell_log shift count Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 13/38] virtio_net: Fix recursive call to cpus_read_lock() Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 14/38] ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 15/38] video: hyperv_fb: Fix the mmap() regression for v5.4.y and older Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 16/38] usb: gadget: enable super speed plus Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 17/38] USB: cdc-acm: blacklist another IR Droid device Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 18/38] usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 19/38] USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 20/38] usb: uas: Add PNY USB Portable SSD to unusual_uas Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 21/38] USB: serial: iuu_phoenix: fix DMA from stack Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 22/38] USB: serial: option: add LongSung M5710 module support Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 23/38] USB: yurex: fix control-URB timeout handling Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 24/38] USB: usblp: fix DMA to stack Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 25/38] ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 26/38] usb: gadget: select CONFIG_CRC32 Greg Kroah-Hartman
2021-01-11 13:00 ` [PATCH 4.4 27/38] usb: gadget: f_uac2: reset wMaxPacketSize Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 28/38] usb: gadget: function: printer: Fix a memory leak for interface descriptor Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 29/38] USB: gadget: legacy: fix return error code in acm_ms_bind() Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 30/38] usb: gadget: Fix spinlock lockup on usb_function_deactivate Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 31/38] usb: gadget: configfs: Preserve function ordering after bind failure Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 32/38] USB: serial: keyspan_pda: remove unused variable Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 33/38] x86/mm: Fix leak of pmd ptlock Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 34/38] ALSA: hda/conexant: add a new hda codec CX11970 Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 35/38] Revert "device property: Keep secondary firmware node secondary by type" Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 36/38] netfilter: ipset: fix shift-out-of-bounds in htable_bits() Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 37/38] netfilter: xt_RATEEST: reject non-null terminated string from userspace Greg Kroah-Hartman
2021-01-11 13:01 ` [PATCH 4.4 38/38] x86/mtrr: Correct the range check before performing MTRR type lookups Greg Kroah-Hartman
2021-01-11 15:33 ` [PATCH 4.4 00/38] 4.4.251-rc1 review Jon Hunter
2021-01-11 16:23 ` Pavel Machek
2021-01-11 21:52 ` Guenter Roeck
2021-01-11 23:41 ` Shuah Khan
2021-01-12 9:04 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210111130032.637689625@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=jiasheng.shi@iluvatar.ai \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=sjhuang@iluvatar.ai \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.