If the allocation order is 16, then the u16 index will overflow and wrap
to zero instead of being equal or greater than 1 << 16. The loop
condition will always be true, and the loop will run until all the
memory resources are depleted.
Change the type of index 'i' to u32, so that it is large enough to store
a value equal or greater than 1 << 16.
Signed-off-by: Allen Hubbe <[email protected]>
---
Version Two: rebased the fix on top of Dave Jiang's work.
drivers/dma/ioat/dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c
index a5630966834e..7435585dbbd6 100644
--- a/drivers/dma/ioat/dma.c
+++ b/drivers/dma/ioat/dma.c
@@ -372,7 +372,7 @@ static bool reshape_ring(struct ioatdma_chan *ioat_chan, int order)
const u16 active = ioat_ring_active(ioat_chan);
const u32 new_size = 1 << order;
struct ioat_ring_ent **ring;
- u16 i;
+ u32 i;
if (order > ioat_get_max_alloc_order())
return false;
--
2.5.0.rc1
On Wed, Aug 5, 2015 at 7:55 AM, Allen Hubbe <[email protected]> wrote:
> If the allocation order is 16, then the u16 index will overflow and wrap
> to zero instead of being equal or greater than 1 << 16. The loop
> condition will always be true, and the loop will run until all the
> memory resources are depleted.
>
> Change the type of index 'i' to u32, so that it is large enough to store
> a value equal or greater than 1 << 16.
>
> Signed-off-by: Allen Hubbe <[email protected]>
> ---
>
> Version Two: rebased the fix on top of Dave Jiang's work.
>
Hmm, I think we should instead limit the max order to 15 instead
because there are other usages of u16 throughout the driver. In fact
I thought that was already enforced, but seems I'm mistaken.