From: ben.hutchings@codethink.co.uk (Ben Hutchings)
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] [PATCH 4.4-cip 20/23] drm: fix signed integer overflow
Date: Fri, 09 Dec 2016 00:39:37 +0000 [thread overview]
Message-ID: <1481243977.1860.177.camel@codethink.co.uk> (raw)
In-Reply-To: <1481243545.1860.156.camel@codethink.co.uk>
From: Xie XiuQi <xiexiuqi@huawei.com>
commit ae0119f5f73b1e9cf7177fbbeea68d74c5751def upstream.
Use 1UL for unsigned long, or we'll meet a overflow issue with UBSAN.
[ 15.589489] UBSAN: Undefined behaviour in drivers/gpu/drm/drm_hashtab.c:145:35
[ 15.589500] signed integer overflow:
[ 15.589999] -2147483648 - 1 cannot be represented in type 'int'
[ 15.590434] CPU: 2 PID: 294 Comm: plymouthd Not tainted 3.10.0-327.28.3.el7.x86_64 #1
[ 15.590653] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[ 15.591001] 1ffff1000670fe83 000000000d6b385e ffff88003387f3e0 ffffffff81ee3140
[ 15.591028] ffff88003387f3f8 ffffffff81ee31fd ffffffffa032f460 ffff88003387f560
[ 15.591044] ffffffff81ee46e2 0000002d00000009 0000000000000001 0000000041b58ab3
[ 15.591059] Call Trace:
[ 15.591078] [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[ 15.591093] [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[ 15.591109] [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
[ 15.591126] [<ffffffff81ee4528>] ? __ubsan_handle_negate_overflow+0x162/0x162
[ 15.591146] [<ffffffff8103416c>] ? print_context_stack+0x9c/0x160
[ 15.591163] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591181] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591197] [<ffffffff81ee4798>] __ubsan_handle_sub_overflow+0x2a/0x31
[ 15.591261] [<ffffffffa0282140>] drm_ht_just_insert_please+0x1e0/0x200 [drm]
[ 15.591290] [<ffffffffa0528c7a>] ttm_base_object_init+0x10a/0x270 [ttm]
[ 15.591316] [<ffffffffa052a34c>] ttm_vt_lock+0x28c/0x3a0 [ttm]
[ 15.591343] [<ffffffffa052a0c0>] ? ttm_write_lock+0x180/0x180 [ttm]
[ 15.591362] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591379] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591396] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591413] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591442] [<ffffffffa061cbe1>] vmw_master_set+0x121/0x470 [vmwgfx]
[ 15.591459] [<ffffffff811773a5>] ? __init_waitqueue_head+0x45/0x70
[ 15.591487] [<ffffffffa061cac0>] ? vmw_master_drop+0x310/0x310 [vmwgfx]
[ 15.591535] [<ffffffffa026946a>] drm_open+0x92a/0xc00 [drm]
[ 15.591563] [<ffffffffa0619ff0>] ? vmw_driver_open+0x170/0x170 [vmwgfx]
[ 15.591610] [<ffffffffa0268b40>] ? drm_poll+0xe0/0xe0 [drm]
[ 15.591661] [<ffffffffa02797b4>] drm_stub_open+0x224/0x330 [drm]
[ 15.591711] [<ffffffffa0279590>] ? drm_minor_acquire+0x240/0x240 [drm]
[ 15.591727] [<ffffffff8145fa8a>] chrdev_open+0x1fa/0x3f0
[ 15.591742] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591761] [<ffffffff814f6dc3>] ? __fsnotify_parent+0x53/0x210
[ 15.591778] [<ffffffff8144fde1>] do_dentry_open+0x351/0x670
[ 15.591792] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591807] [<ffffffff814503c2>] vfs_open+0xa2/0x170
[ 15.591824] [<ffffffff8147b5df>] do_last+0xccf/0x2c80
[ 15.591842] [<ffffffff8147a910>] ? filename_create+0x320/0x320
[ 15.591858] [<ffffffff81472549>] ? path_init+0x1b9/0xa90
[ 15.591875] [<ffffffff81472390>] ? mountpoint_last+0x9a0/0x9a0
[ 15.591894] [<ffffffff815f9ccf>] ? selinux_file_alloc_security+0xcf/0x130
[ 15.591911] [<ffffffff8147d777>] path_openat+0x1e7/0xcc0
[ 15.591927] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591943] [<ffffffff8147d590>] ? do_last+0x2c80/0x2c80
[ 15.591959] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591974] [<ffffffff8104b48d>] ? save_stack_trace+0x7d/0xb0
[ 15.591989] [<ffffffff81480824>] do_filp_open+0xa4/0x160
[ 15.592004] [<ffffffff81480780>] ? user_path_mountpoint_at+0x50/0x50
[ 15.592022] [<ffffffff8149d755>] ? __alloc_fd+0x175/0x300
[ 15.592039] [<ffffffff81453127>] do_sys_open+0x1b7/0x3f0
[ 15.592054] [<ffffffff81452f70>] ? filp_open+0x80/0x80
[ 15.592070] [<ffffffff81453392>] SyS_open+0x32/0x40
[ 15.592088] [<ffffffff81f08989>] system_call_fastpath+0x16/0x1b
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
[seanpaul tweaked subject to remove "gpu/"]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473152138-25335-1-git-send-email-xiexiuqi at huawei.com
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/gpu/drm/drm_hashtab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_hashtab.c b/drivers/gpu/drm/drm_hashtab.c
index c3b80fd65d62..fbbd9f0c2eef 100644
--- a/drivers/gpu/drm/drm_hashtab.c
+++ b/drivers/gpu/drm/drm_hashtab.c
@@ -142,7 +142,7 @@ int drm_ht_just_insert_please(struct drm_open_hash *ht, struct drm_hash_item *it
unsigned long add)
{
int ret;
- unsigned long mask = (1 << bits) - 1;
+ unsigned long mask = (1UL << bits) - 1;
unsigned long first, unshifted_key;
unshifted_key = hash_long(seed, bits);
--
2.10.2
--
Ben Hutchings
Software Developer, Codethink Ltd.
next prev parent reply other threads:[~2016-12-09 0:39 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-09 0:32 [cip-dev] [PATCH 4.4-cip 00/23] Undefined Behaviour Sanititizer support Ben Hutchings
2016-12-09 0:33 ` [cip-dev] [PATCH 4.4-cip 01/23] UBSAN: run-time undefined behavior sanity checker Ben Hutchings
2016-12-09 0:33 ` [cip-dev] [PATCH 4.4-cip 02/23] ubsan: cosmetic fix to Kconfig text Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 03/23] PM / sleep: declare __tracedata symbols as char[] rather than char Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 04/23] x86/microcode/intel: Change checksum variables to u32 Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 05/23] mm/page-writeback: fix dirty_ratelimit calculation Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 06/23] perf/core: Fix Undefined behaviour in rb_alloc() Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 07/23] ubsan: fix tree-wide -Wmaybe-uninitialized false positives Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 08/23] mm/filemap: generic_file_read_iter(): check for zero reads unconditionally Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 09/23] perf/x86/amd: Set the size of event map array to PERF_COUNT_HW_MAX Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 10/23] drm/radeon: don't include RADEON_HPD_NONE in HPD IRQ enable bitsets Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 11/23] btrfs: fix int32 overflow in shrink_delalloc() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 12/23] blk-mq: fix undefined behaviour in order_to_size() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 13/23] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 14/23] signal: move the "sig < SIGRTMIN" check into siginmask(sig) Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 15/23] mmc: dw_mmc: remove UBSAN warning in dw_mci_setup_bus() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 16/23] UBSAN: fix typo in format string Ben Hutchings
2016-12-09 0:37 ` [cip-dev] [PATCH 4.4-cip 17/23] rhashtable: fix shift by 64 when shrinking Ben Hutchings
2016-12-09 0:37 ` [cip-dev] [PATCH 4.4-cip 18/23] time: Avoid undefined behaviour in ktime_add_safe() Ben Hutchings
2016-12-09 0:39 ` [cip-dev] [PATCH 4.4-cip 19/23] pwm: samsung: Fix to use lowest div for large enough modulation bits Ben Hutchings
2016-12-09 0:39 ` Ben Hutchings [this message]
2016-12-09 0:39 ` [cip-dev] [PATCH 4.4-cip 21/23] xfs: fix signed integer overflow Ben Hutchings
2016-12-09 0:41 ` [cip-dev] [PATCH 4.4-cip 22/23] net: get rid of an signed integer overflow in ip_idents_reserve() Ben Hutchings
2016-12-09 0:41 ` [cip-dev] [PATCH 4.4-cip 23/23] mlx4: remove unused fields Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481243977.1860.177.camel@codethink.co.uk \
--to=ben.hutchings@codethink.co.uk \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox