* [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
@ 2026-04-14 1:53 cuitao
2026-04-15 13:29 ` Michal Koutný
2026-04-17 17:37 ` Tejun Heo
0 siblings, 2 replies; 3+ messages in thread
From: cuitao @ 2026-04-14 1:53 UTC (permalink / raw)
To: tj, hannes, mkoutny, cgroups; +Cc: cuitao
The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.
Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.
Signed-off-by: cuitao <cuitao@kylinos.cn>
---
kernel/cgroup/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index 09258eebb5c7..7d21a0db3cef 100644
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -283,7 +283,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
ret = PTR_ERR(rpool);
goto err;
} else {
- new = rpool->resources[index].usage + 1;
+ new = (s64)rpool->resources[index].usage + 1;
if (new > rpool->resources[index].max) {
ret = -EAGAIN;
goto err;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
2026-04-14 1:53 [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge() cuitao
@ 2026-04-15 13:29 ` Michal Koutný
2026-04-17 17:37 ` Tejun Heo
1 sibling, 0 replies; 3+ messages in thread
From: Michal Koutný @ 2026-04-15 13:29 UTC (permalink / raw)
To: cuitao; +Cc: tj, hannes, cgroups
[-- Attachment #1: Type: text/plain, Size: 812 bytes --]
On Tue, Apr 14, 2026 at 09:53:27AM +0800, cuitao <cuitao@kylinos.cn> wrote:
> The expression `rpool->resources[index].usage + 1` is computed in int
> arithmetic before being assigned to s64 variable `new`. When usage equals
> INT_MAX (the default "max" value), the addition overflows to INT_MIN.
> This negative value then passes the `new > max` check incorrectly,
> allowing a charge that should be rejected and corrupting usage to
> negative.
>
> Fix by casting usage to s64 before the addition so the arithmetic is
> done in 64-bit.
Thanks.
Fixes: 39d3e7584a686 ("rdmacg: Added rdma cgroup controller")
>
> Signed-off-by: cuitao <cuitao@kylinos.cn>
> ---
> kernel/cgroup/rdma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Michal Koutný <mkoutny@suse.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
2026-04-14 1:53 [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge() cuitao
2026-04-15 13:29 ` Michal Koutný
@ 2026-04-17 17:37 ` Tejun Heo
1 sibling, 0 replies; 3+ messages in thread
From: Tejun Heo @ 2026-04-17 17:37 UTC (permalink / raw)
To: cuitao; +Cc: cgroups, hannes, mkoutny
Hello,
> cuitao (1):
> cgroup/rdma: fix integer overflow in rdmacg_try_charge()
Applied to cgroup/for-7.1-fixes.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-17 17:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-14 1:53 [PATCH] cgroup/rdma: fix integer overflow in rdmacg_try_charge() cuitao
2026-04-15 13:29 ` Michal Koutný
2026-04-17 17:37 ` Tejun Heo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox