From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Joonyoung Shim <jy0922.shim@samsung.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jonghwan Choi <jhbird.choi@samsung.com>
Subject: [PATCH 3.10 40/52] lib/genalloc.c: fix overflow of ending address of memory chunk
Date: Tue, 10 Dec 2013 00:01:13 -0800 [thread overview]
Message-ID: <20131210075957.014306168@linuxfoundation.org> (raw)
In-Reply-To: <20131210075954.196229872@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonyoung Shim <jy0922.shim@samsung.com>
commit 674470d97958a0ec72f72caf7f6451da40159cc7 upstream.
In struct gen_pool_chunk, end_addr means the end address of memory chunk
(inclusive), but in the implementation it is treated as address + size of
memory chunk (exclusive), so it points to the address plus one instead of
correct ending address.
The ending address of memory chunk plus one will cause overflow on the
memory chunk including the last address of memory map, e.g. when starting
address is 0xFFF00000 and size is 0x100000 on 32bit machine, ending
address will be 0x100000000.
Use correct ending address like starting address + size - 1.
[akpm@linux-foundation.org: add comment to struct gen_pool_chunk:end_addr]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/genalloc.h | 4 ++--
lib/genalloc.c | 19 ++++++++++++-------
2 files changed, 14 insertions(+), 9 deletions(-)
--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -66,8 +66,8 @@ struct gen_pool_chunk {
struct list_head next_chunk; /* next chunk in pool */
atomic_t avail;
phys_addr_t phys_addr; /* physical starting address of memory chunk */
- unsigned long start_addr; /* starting address of memory chunk */
- unsigned long end_addr; /* ending address of memory chunk */
+ unsigned long start_addr; /* start address of memory chunk */
+ unsigned long end_addr; /* end address of memory chunk (inclusive) */
unsigned long bits[0]; /* bitmap for allocating memory chunk */
};
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -37,6 +37,11 @@
#include <linux/of_address.h>
#include <linux/of_device.h>
+static inline size_t chunk_size(const struct gen_pool_chunk *chunk)
+{
+ return chunk->end_addr - chunk->start_addr + 1;
+}
+
static int set_bits_ll(unsigned long *addr, unsigned long mask_to_set)
{
unsigned long val, nval;
@@ -188,7 +193,7 @@ int gen_pool_add_virt(struct gen_pool *p
chunk->phys_addr = phys;
chunk->start_addr = virt;
- chunk->end_addr = virt + size;
+ chunk->end_addr = virt + size - 1;
atomic_set(&chunk->avail, size);
spin_lock(&pool->lock);
@@ -213,7 +218,7 @@ phys_addr_t gen_pool_virt_to_phys(struct
rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
- if (addr >= chunk->start_addr && addr < chunk->end_addr) {
+ if (addr >= chunk->start_addr && addr <= chunk->end_addr) {
paddr = chunk->phys_addr + (addr - chunk->start_addr);
break;
}
@@ -242,7 +247,7 @@ void gen_pool_destroy(struct gen_pool *p
chunk = list_entry(_chunk, struct gen_pool_chunk, next_chunk);
list_del(&chunk->next_chunk);
- end_bit = (chunk->end_addr - chunk->start_addr) >> order;
+ end_bit = chunk_size(chunk) >> order;
bit = find_next_bit(chunk->bits, end_bit, 0);
BUG_ON(bit < end_bit);
@@ -283,7 +288,7 @@ unsigned long gen_pool_alloc(struct gen_
if (size > atomic_read(&chunk->avail))
continue;
- end_bit = (chunk->end_addr - chunk->start_addr) >> order;
+ end_bit = chunk_size(chunk) >> order;
retry:
start_bit = pool->algo(chunk->bits, end_bit, start_bit, nbits,
pool->data);
@@ -330,8 +335,8 @@ void gen_pool_free(struct gen_pool *pool
nbits = (size + (1UL << order) - 1) >> order;
rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
- if (addr >= chunk->start_addr && addr < chunk->end_addr) {
- BUG_ON(addr + size > chunk->end_addr);
+ if (addr >= chunk->start_addr && addr <= chunk->end_addr) {
+ BUG_ON(addr + size - 1 > chunk->end_addr);
start_bit = (addr - chunk->start_addr) >> order;
remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
BUG_ON(remain);
@@ -400,7 +405,7 @@ size_t gen_pool_size(struct gen_pool *po
rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
- size += chunk->end_addr - chunk->start_addr;
+ size += chunk_size(chunk);
rcu_read_unlock();
return size;
}
next prev parent reply other threads:[~2013-12-10 8:01 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 8:00 [PATCH 3.10 00/52] 3.10.24-stable review Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 01/52] ALSA: hda - Fix silent output on ASUS W7J laptop Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 02/52] ALSA: hda - Another fixup for ASUS laptop with ALC660 codec Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 03/52] ALSA: hda - Fix headset mic input after muted internal mic (Dell/Realtek) Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 04/52] ALSA: hda - Fix silent output on MacBook Air 2,1 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 05/52] ALSA: hda - Add mono speaker quirk for Dell Inspiron 5439 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 06/52] crypto: s390 - Fix aes-xts parameter corruption Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 07/52] crypto: scatterwalk - Set the chain pointer indication bit Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 08/52] crypto: ccm - Fix handling of zero plaintext when computing mac Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 09/52] crypto: authenc - Find proper IV address in ablkcipher callback Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 10/52] ARM: fix booting low-vectors machines Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 11/52] ARM: footbridge: fix VGA initialisation Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 12/52] ARM: footbridge: fix EBSA285 LEDs Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 13/52] ARM: at91: sama5d3: reduce TWI internal clock frequency Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 14/52] ARM: mvebu: use the virtual CPU registers to access coherency registers Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 15/52] ASoC: wm8990: Mark the register map as dirty when powering down Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 16/52] ASoC: wm8731: fix dsp mode configuration Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 17/52] vfs: fix subtle use-after-free of pipe_inode_info Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 18/52] can: sja1000: fix {pre,post}_irq() handling and IRQ handler return value Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 19/52] can: c_can: dont call pm_runtime_get_sync() from interrupt context Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 20/52] SCSI: bfa: Fix crash when symb name set for offline vport Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 21/52] SCSI: enclosure: fix WARN_ON in dual path device removing Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 22/52] SCSI: libsas: fix usage of ata_tf_to_fis Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 23/52] SCSI: hpsa: do not discard scsi status on aborted commands Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 24/52] SCSI: hpsa: return 0 from driver probe function on success, not 1 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 25/52] net: smc91: fix crash regression on the versatile Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 26/52] NFSv4: Update list of irrecoverable errors on DELEGRETURN Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 27/52] time: Fix 1ns/tick drift w/ GENERIC_TIME_VSYSCALL_OLD Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 28/52] powerpc/gpio: Fix the wrong GPIO input data on MPC8572/MPC8536 Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 29/52] parisc: fix mmap(MAP_FIXED|MAP_SHARED) to already mmapped address Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 30/52] xen/gnttab: leave lazy MMU mode in the case of a m2p override failure Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 31/52] Update of blkg_stat and blkg_rwstat may happen in bh context. While u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This is not enough to avoid preemption by bh and may read strange 64 bit value Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 32/52] irq: Enable all irqs unconditionally in irq_resume Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 33/52] net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 34/52] x86-64, build: Always pass in -mno-sse Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 35/52] SCSI: Disable WRITE SAME for RAID and virtual host adapter drivers Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 36/52] iwlwifi: dvm: dont override mac80211s queue setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 37/52] tg3: avoid double-freeing of rx data memory Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 38/52] HID: usbhid: quirk for Synaptics Large Touchccreen Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 39/52] HID: usbhid: quirk for SiS Touchscreen Greg Kroah-Hartman
2013-12-10 8:01 ` Greg Kroah-Hartman [this message]
2013-12-10 8:01 ` [PATCH 3.10 41/52] Input: allow deselecting serio drivers even without CONFIG_EXPERT Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 42/52] Input: mousedev - allow disabling " Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 43/52] mei: me: add Lynx Point Wellsburg work station device id Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 44/52] mei: add 9 series PCH mei device ids Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 45/52] USB: pl2303: fixed handling of CS5 setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 46/52] USB: ftdi_sio: fixed handling of unsupported CSIZE setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 47/52] USB: mos7840: correct handling of CS5 setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 48/52] USB: spcp8x5: " Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 49/52] USB: cdc-acm: Added support for the Lenovo RD02-D400 USB Modem Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 50/52] drivers/char/i8k.c: add Dell XPLS L421X Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 51/52] ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260 Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 52/52] ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable Greg Kroah-Hartman
2013-12-10 17:03 ` [PATCH 3.10 00/52] 3.10.24-stable review Guenter Roeck
2013-12-11 1:17 ` Greg Kroah-Hartman
2013-12-11 1:50 ` Shuah Khan
2013-12-11 21:22 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131210075957.014306168@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=jhbird.choi@samsung.com \
--cc=jy0922.shim@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).