From: Roland Dreier <rdreier@cisco.com>
To: paulus@samba.org, benh@kernel.crashing.org
Cc: vb <vb@vsbe.com>, Arnd Bergmann <arnd@arndb.de>,
linuxppc-embedded@ozlabs.org
Subject: [PATCH] powerpc: Avoid integer overflow in page_is_ram()
Date: Fri, 29 Aug 2008 20:39:03 -0700 [thread overview]
Message-ID: <adar687i33c.fsf_-_@cisco.com> (raw)
In-Reply-To: <adak5e1kf2u.fsf@cisco.com> (Roland Dreier's message of "Wed, 27 Aug 2008 20:12:41 -0700")
Commit 8b150478 ("ppc: make phys_mem_access_prot() work with pfns
instead of addresses") fixed page_is_ram() in arch/ppc to avoid overflow
for addresses above 4G on 32-bit kernels. However arch/powerpc's
page_is_ram() is missing the same fix -- it computes a physical address
by doing pfn << PAGE_SHIFT, which overflows if pfn corresponds to a page
above 4G.
In particular this causes pages above 4G to be mapped with the wrong
caching attribute; for example many ppc440-based SoCs have PCI space
above 4G, and mmap()ing MMIO space may end up with a mapping that has
caching enabled.
Fix this by working with the pfn and avoiding the conversion to
physical address that causes the overflow. This patch compares the
pfn to max_pfn, which is a semantic change from the old code -- that
code compared the physical address to high_memory, which corresponds
to max_low_pfn. However, I think that was is another bug, since
highmem pages are still RAM.
Reported-by: vb <vb@vsbe.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
---
This is a fix but the bug is pretty long-standing -- I think this is
2.6.28 material.
arch/powerpc/mm/mem.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 1c93c25..98d7bf9 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -75,11 +75,10 @@ static inline pte_t *virt_to_kpte(unsigned long vaddr)
int page_is_ram(unsigned long pfn)
{
- unsigned long paddr = (pfn << PAGE_SHIFT);
-
#ifndef CONFIG_PPC64 /* XXX for now */
- return paddr < __pa(high_memory);
+ return pfn < max_pfn;
#else
+ unsigned long paddr = (pfn << PAGE_SHIFT);
int i;
for (i=0; i < lmb.memory.cnt; i++) {
unsigned long base;
next prev parent reply other threads:[~2008-08-30 3:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-27 2:26 mmap and ppc460gt vb
2008-08-27 3:24 ` Roland Dreier
2008-08-27 8:13 ` Arnd Bergmann
2008-08-27 23:13 ` vb
2008-08-28 0:11 ` Roland Dreier
2008-08-28 0:21 ` vb
2008-08-28 3:12 ` Roland Dreier
2008-08-28 3:47 ` vb
2008-08-28 10:36 ` Josh Boyer
2008-08-30 3:39 ` Roland Dreier [this message]
2008-09-01 0:27 ` [PATCH] powerpc: Avoid integer overflow in page_is_ram() Benjamin Herrenschmidt
-- strict thread matches above, loose matches on Subject: below --
2008-09-15 20:31 Patches added to powerpc.git master and powerpc-next branches Paul Mackerras
2008-09-15 20:43 ` [PATCH] powerpc: Avoid integer overflow in page_is_ram() Roland Dreier
2008-09-15 22:44 ` Kumar Gala
2008-09-15 22:51 ` Roland Dreier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adar687i33c.fsf_-_@cisco.com \
--to=rdreier@cisco.com \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=linuxppc-embedded@ozlabs.org \
--cc=paulus@samba.org \
--cc=vb@vsbe.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.