From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann Droneaud Subject: Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0 Date: Tue, 14 Apr 2015 14:00:59 +0200 Message-ID: <1429012859.4333.2.camel@opteya.com> References: <552CDBD6.1020205@dev.mellanox.co.il> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <552CDBD6.1020205@dev.mellanox.co.il> Sender: stable-owner@vger.kernel.org To: Sagi Grimberg Cc: Roland Dreier , linux-rdma@vger.kernel.org, Shachar Raindel , Jack Morgenstein , Or Gerlitz , stable@vger.kernel.org List-Id: linux-rdma@vger.kernel.org Hi, Le mardi 14 avril 2015 =C3=A0 12:20 +0300, Sagi Grimberg a =C3=A9crit : > On 4/13/2015 3:56 PM, Yann Droneaud wrote: > > In a call to ib_umem_get(), if address is 0x0 and size is > > already page aligned, check added in commit 8494057ab5e4 > > ("IB/uverbs: Prevent integer overflow in ib_umem_get address > > arithmetic") will refuse to register a memory region that > > could otherwise be valid (provided vm.mmap_min_addr sysctl > > and mmap_low_allowed SELinux knobs allow userspace to map > > something at address 0x0). > > > > This patch allows back such registration: ib_umem_get() > > should probably don't care of the base address provided it > > can be pinned with get_user_pages(). > > > > There's two possible overflows, in (addr + size) and in > > PAGE_ALIGN(addr + size), this patch keep ensuring none > > of them happen while allowing to pin memory at address > > 0x0. Anyway, the case of size equal 0 is no more (partially) > > handled as 0-length memory region are disallowed by an > > earlier check. > > > > Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.co= m > > Cc: # 8494057ab5e4 ("IB/uverbs: Prevent in= teger overflow in ib_umem_get address arithmetic") > > Cc: Shachar Raindel > > Cc: Jack Morgenstein > > Cc: Or Gerlitz > > Signed-off-by: Yann Droneaud > > --- > > drivers/infiniband/core/umem.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/co= re/umem.c > > index 9ac4068d2088..38acb3cfc545 100644 > > --- a/drivers/infiniband/core/umem.c > > +++ b/drivers/infiniband/core/umem.c > > @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext = *context, unsigned long addr, > > * If the combination of the addr and size requested for this me= mory > > * region causes an integer overflow, return error. > > */ > > - if ((PAGE_ALIGN(addr + size) <=3D size) || > > - (PAGE_ALIGN(addr + size) <=3D addr)) > > + if (((addr + size) < addr) || > > + PAGE_ALIGN(addr + size) < (addr + size)) >=20 > If you do change the first statement to be: (addr + size) <=3D addr > wouldn't it cover patch #1? >=20 Yes, but it doesn't sound a great place to do it: here it's about overflow, so I'd prefer not doing the null memory region check there. Regards. --=20 Yann Droneaud OPTEYA