Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2279629pxb; Mon, 11 Jan 2021 05:56:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxgQmgF++4+dKzE98y5c9ALGHskuQ0erAoSxII6/NsTIF5AdY8g3fjdO0lGWzY9TKZ1sWWL X-Received: by 2002:a17:906:704d:: with SMTP id r13mr10935592ejj.43.1610373414066; Mon, 11 Jan 2021 05:56:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610373414; cv=none; d=google.com; s=arc-20160816; b=eSuCqLaiUUyEnzRy5tEmILKXfr3VLgZ7/n0QWvM9UGhX2slctg2EHNo8d8SO0Eoa4f tDHtF51uvw38XVA/yk7+st7H9trmTT4r30A4VfeACmY/eH0W6uo26bvCmJ5AlEMSeIrF 7GCdGR/QIoBTgWP1rAwTDpyy2z6lJBWK/BxgYBQX2dnAY3SGQVbk3phUOFst7KgAaWaL PP5YMfL4uEVjV3Sh6+3XfLhDVarFgv+uxL1TEn4cdfr36rhpeJw32ESGdmel/jkL9mB2 kQPwOutf0LO9S/YaBvpow97lODbVGIN3nqttTVzcPu+fCMb87aa8oJ3Dhbrr8lnUi8b5 MAYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Okmu4ndA/D8WtQhfjckpSEBaqFnO3W+HwVkCnQzeZts=; b=IU5DSDx0Bvub+KPeB7uTKvol7EYk8m53T5Voq/E7UqNFPxJcVRCu6F/GzS0eO8pMiS b0tSZY3KeNC1eCZo4J2h3O4dlqIRvDp2tb41j0TMf5BtS5R8NVgkxjrQeI4nBNMvH1oy YDjFrROWW3J7nRFZfOklk5QYoA7+7RtqW1FAOZ281md3msOLLQnlXDbrRHsMm0+TQ4wv ZZMxEClPusDEWCqwmjuhqVH1TjGV1o0fZQjbMMdfgxw6kzQdv8WrXCDirCd2gUaNERmQ L2JQvixupIIfZSUUKlPeBySNNBc+Yc+M6F6qn/vBxCnbpesPBW0Ur5djWVI99v0N9K1U kIOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1eyvxwLW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ah12si6708950ejc.483.2021.01.11.05.56.30; Mon, 11 Jan 2021 05:56:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1eyvxwLW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730629AbhAKNyT (ORCPT + 99 others); Mon, 11 Jan 2021 08:54:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:55026 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730644AbhAKNHx (ORCPT ); Mon, 11 Jan 2021 08:07:53 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 308B72251F; Mon, 11 Jan 2021 13:07:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610370457; bh=iFnS+GBYEsw4jWMBlBq7NIkQVxEv6AgCU7oCMZz5DfY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1eyvxwLWYMFJqCtnnNe/WOdK6VAuOGUKii+2RyYD/bJUUWJ4g7KxwnYneLeZlwz9D MnVlixwqkMw2iYyGmvdZwHY3J86HfD9Ipl1uSkaGBg5jP7WZjOl4qbbr+QR+nDfQ65 A6TrLlapFRZ/xhB/elLyL8VtpZQP5cCdpQTAqINs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Huang Shijie , Shi Jiasheng , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 4.19 07/77] lib/genalloc: fix the overflow when size is too big Date: Mon, 11 Jan 2021 14:01:16 +0100 Message-Id: <20210111130036.762479876@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210111130036.414620026@linuxfoundation.org> References: <20210111130036.414620026@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Huang Shijie [ Upstream commit 36845663843fc59c5d794e3dc0641472e3e572da ] Some graphic card has very big memory on chip, such as 32G bytes. In the following case, it will cause overflow: pool = gen_pool_create(PAGE_SHIFT, NUMA_NO_NODE); ret = gen_pool_add(pool, 0x1000000, SZ_32G, NUMA_NO_NODE); va = gen_pool_alloc(pool, SZ_4G); The overflow occurs in gen_pool_alloc_algo_owner(): .... size = nbits << order; .... The @nbits is "int" type, so it will overflow. Then the gen_pool_avail() will return the wrong value. This patch converts some "int" to "unsigned long", and changes the compare code in while. Link: https://lkml.kernel.org/r/20201229060657.3389-1-sjhuang@iluvatar.ai Signed-off-by: Huang Shijie Reported-by: Shi Jiasheng Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- lib/genalloc.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/lib/genalloc.c b/lib/genalloc.c index 7e85d1e37a6ea..0b8ee173cf3a6 100644 --- a/lib/genalloc.c +++ b/lib/genalloc.c @@ -83,14 +83,14 @@ static int clear_bits_ll(unsigned long *addr, unsigned long mask_to_clear) * users set the same bit, one user will return remain bits, otherwise * return 0. */ -static int bitmap_set_ll(unsigned long *map, int start, int nr) +static int bitmap_set_ll(unsigned long *map, unsigned long start, unsigned long nr) { unsigned long *p = map + BIT_WORD(start); - const int size = start + nr; + const unsigned long size = start + nr; int bits_to_set = BITS_PER_LONG - (start % BITS_PER_LONG); unsigned long mask_to_set = BITMAP_FIRST_WORD_MASK(start); - while (nr - bits_to_set >= 0) { + while (nr >= bits_to_set) { if (set_bits_ll(p, mask_to_set)) return nr; nr -= bits_to_set; @@ -118,14 +118,15 @@ static int bitmap_set_ll(unsigned long *map, int start, int nr) * users clear the same bit, one user will return remain bits, * otherwise return 0. */ -static int bitmap_clear_ll(unsigned long *map, int start, int nr) +static unsigned long +bitmap_clear_ll(unsigned long *map, unsigned long start, unsigned long nr) { unsigned long *p = map + BIT_WORD(start); - const int size = start + nr; + const unsigned long size = start + nr; int bits_to_clear = BITS_PER_LONG - (start % BITS_PER_LONG); unsigned long mask_to_clear = BITMAP_FIRST_WORD_MASK(start); - while (nr - bits_to_clear >= 0) { + while (nr >= bits_to_clear) { if (clear_bits_ll(p, mask_to_clear)) return nr; nr -= bits_to_clear; @@ -184,8 +185,8 @@ int gen_pool_add_virt(struct gen_pool *pool, unsigned long virt, phys_addr_t phy size_t size, int nid) { struct gen_pool_chunk *chunk; - int nbits = size >> pool->min_alloc_order; - int nbytes = sizeof(struct gen_pool_chunk) + + unsigned long nbits = size >> pool->min_alloc_order; + unsigned long nbytes = sizeof(struct gen_pool_chunk) + BITS_TO_LONGS(nbits) * sizeof(long); chunk = vzalloc_node(nbytes, nid); @@ -242,7 +243,7 @@ void gen_pool_destroy(struct gen_pool *pool) struct list_head *_chunk, *_next_chunk; struct gen_pool_chunk *chunk; int order = pool->min_alloc_order; - int bit, end_bit; + unsigned long bit, end_bit; list_for_each_safe(_chunk, _next_chunk, &pool->chunks) { chunk = list_entry(_chunk, struct gen_pool_chunk, next_chunk); @@ -293,7 +294,7 @@ unsigned long gen_pool_alloc_algo(struct gen_pool *pool, size_t size, struct gen_pool_chunk *chunk; unsigned long addr = 0; int order = pool->min_alloc_order; - int nbits, start_bit, end_bit, remain; + unsigned long nbits, start_bit, end_bit, remain; #ifndef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG BUG_ON(in_nmi()); @@ -376,7 +377,7 @@ void gen_pool_free(struct gen_pool *pool, unsigned long addr, size_t size) { struct gen_pool_chunk *chunk; int order = pool->min_alloc_order; - int start_bit, nbits, remain; + unsigned long start_bit, nbits, remain; #ifndef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG BUG_ON(in_nmi()); @@ -638,7 +639,7 @@ unsigned long gen_pool_best_fit(unsigned long *map, unsigned long size, index = bitmap_find_next_zero_area(map, size, start, nr, 0); while (index < size) { - int next_bit = find_next_bit(map, size, index + nr); + unsigned long next_bit = find_next_bit(map, size, index + nr); if ((next_bit - index) < len) { len = next_bit - index; start_bit = index; -- 2.27.0