From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Kevin Grandemange <kevin.grandemange@allegrodvt.com>,
Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 048/118] dma-coherent: fix integer overflow in the reserved-memory dma allocation
Date: Wed, 22 Apr 2020 11:56:49 +0200 [thread overview]
Message-ID: <20200422095039.855897954@linuxfoundation.org> (raw)
In-Reply-To: <20200422095031.522502705@linuxfoundation.org>
From: Kevin Grandemange <kevin.grandemange@allegrodvt.com>
[ Upstream commit 286c21de32b904131f8cf6a36ce40b8b0c9c5da3 ]
pageno is an int and the PAGE_SHIFT shift is done on an int,
overflowing if the memory is bigger than 2G
This can be reproduced using for example a reserved-memory of 4G
reserved-memory {
#address-cells = <2>;
#size-cells = <2>;
ranges;
reserved_dma: buffer@0 {
compatible = "shared-dma-pool";
no-map;
reg = <0x5 0x00000000 0x1 0x0>;
};
};
Signed-off-by: Kevin Grandemange <kevin.grandemange@allegrodvt.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/coherent.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c
index 551b0eb7028a3..2a0c4985f38e4 100644
--- a/kernel/dma/coherent.c
+++ b/kernel/dma/coherent.c
@@ -134,7 +134,7 @@ static void *__dma_alloc_from_coherent(struct device *dev,
spin_lock_irqsave(&mem->spinlock, flags);
- if (unlikely(size > (mem->size << PAGE_SHIFT)))
+ if (unlikely(size > ((dma_addr_t)mem->size << PAGE_SHIFT)))
goto err;
pageno = bitmap_find_free_region(mem->bitmap, mem->size, order);
@@ -144,8 +144,9 @@ static void *__dma_alloc_from_coherent(struct device *dev,
/*
* Memory was found in the coherent area.
*/
- *dma_handle = dma_get_device_base(dev, mem) + (pageno << PAGE_SHIFT);
- ret = mem->virt_base + (pageno << PAGE_SHIFT);
+ *dma_handle = dma_get_device_base(dev, mem) +
+ ((dma_addr_t)pageno << PAGE_SHIFT);
+ ret = mem->virt_base + ((dma_addr_t)pageno << PAGE_SHIFT);
spin_unlock_irqrestore(&mem->spinlock, flags);
memset(ret, 0, size);
return ret;
@@ -194,7 +195,7 @@ static int __dma_release_from_coherent(struct dma_coherent_mem *mem,
int order, void *vaddr)
{
if (mem && vaddr >= mem->virt_base && vaddr <
- (mem->virt_base + (mem->size << PAGE_SHIFT))) {
+ (mem->virt_base + ((dma_addr_t)mem->size << PAGE_SHIFT))) {
int page = (vaddr - mem->virt_base) >> PAGE_SHIFT;
unsigned long flags;
@@ -238,10 +239,10 @@ static int __dma_mmap_from_coherent(struct dma_coherent_mem *mem,
struct vm_area_struct *vma, void *vaddr, size_t size, int *ret)
{
if (mem && vaddr >= mem->virt_base && vaddr + size <=
- (mem->virt_base + (mem->size << PAGE_SHIFT))) {
+ (mem->virt_base + ((dma_addr_t)mem->size << PAGE_SHIFT))) {
unsigned long off = vma->vm_pgoff;
int start = (vaddr - mem->virt_base) >> PAGE_SHIFT;
- int user_count = vma_pages(vma);
+ unsigned long user_count = vma_pages(vma);
int count = PAGE_ALIGN(size) >> PAGE_SHIFT;
*ret = -ENXIO;
--
2.20.1
next prev parent reply other threads:[~2020-04-22 10:18 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 9:56 [PATCH 5.4 000/118] 5.4.35-rc1 review Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 001/118] ext4: use non-movable memory for superblock readahead Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 002/118] watchdog: sp805: fix restart handler Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 003/118] xsk: Fix out of boundary write in __xsk_rcv_memcpy Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 004/118] arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0 Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 005/118] arm, bpf: Fix offset overflow for BPF_MEM BPF_DW Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 006/118] objtool: Fix switch table detection in .text.unlikely Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 007/118] scsi: sg: add sg_remove_request in sg_common_write Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 008/118] ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 009/118] ARM: dts: imx6: Use gpc for FEC interrupt controller to fix wake on LAN Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 010/118] kbuild, btf: Fix dependencies for DEBUG_INFO_BTF Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 011/118] netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 012/118] irqchip/mbigen: Free msi_desc on device teardown Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 013/118] ALSA: hda: Dont release card at firmware loading error Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 014/118] xsk: Add missing check on user supplied headroom size Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 015/118] of: unittest: kmemleak on changeset destroy Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 016/118] of: unittest: kmemleak in of_unittest_platform_populate() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 017/118] of: unittest: kmemleak in of_unittest_overlay_high_level() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 018/118] of: overlay: kmemleak in dup_and_fixup_symbol_prop() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 019/118] x86/Hyper-V: Unload vmbus channel in hv panic callback Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 020/118] x86/Hyper-V: Trigger crash enlightenment only once during system crash Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 021/118] x86/Hyper-V: Report crash register data or kmsg before running crash kernel Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 022/118] x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 023/118] x86/Hyper-V: Report crash data in die() when panic_on_oops is set Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 024/118] afs: Fix missing XDR advance in xdr_decode_{AFS,YFS}FSFetchStatus() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 025/118] afs: Fix decoding of inline abort codes from version 1 status records Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 026/118] afs: Fix rename operation status delivery Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 027/118] afs: Fix afs_d_validate() to set the right directory version Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 028/118] afs: Fix race between post-modification dir edit and readdir/d_revalidate Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 029/118] block, bfq: turn put_queue into release_process_ref in __bfq_bic_change_cgroup Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 030/118] block, bfq: make reparent_leaf_entity actually work only on leaf entities Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 031/118] block, bfq: invoke flush_idle_tree after reparent_active_queues in pd_offline Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 032/118] rbd: avoid a deadlock on header_rwsem when flushing notifies Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 033/118] rbd: call rbd_dev_unprobe() after unwatching and " Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 034/118] x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 035/118] drm/ttm: flush the fence on the bo after we individualize the reservation object Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 036/118] clk: Dont cache errors from clk_ops::get_phase() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 037/118] clk: at91: usb: continue if clk_hw_round_rate() return zero Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 038/118] net/mlx5e: Enforce setting of a single FEC mode Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 039/118] f2fs: fix the panic in do_checkpoint() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 040/118] ARM: dts: rockchip: fix vqmmc-supply property name for rk3188-bqedison2qc Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 041/118] arm64: dts: allwinner: a64: Fix display clock register range Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 042/118] power: supply: bq27xxx_battery: Silence deferred-probe error Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 043/118] clk: tegra: Fix Tegra PMC clock out parents Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 044/118] arm64: tegra: Add PCIe endpoint controllers nodes for Tegra194 Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 045/118] arm64: tegra: Fix Tegra194 PCIe compatible string Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 046/118] arm64: dts: clearfog-gt-8k: set gigabit PHY reset deassert delay Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 047/118] soc: imx: gpc: fix power up sequencing Greg Kroah-Hartman
2020-04-22 9:56 ` Greg Kroah-Hartman [this message]
2020-04-22 9:56 ` [PATCH 5.4 049/118] rtc: 88pm860x: fix possible race condition Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 050/118] NFS: alloc_nfs_open_context() must use the file cred when available Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 051/118] NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 052/118] NFSv4.2: error out when relink swapfile Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 053/118] ARM: dts: rockchip: fix lvds-encoder ports subnode for rk3188-bqedison2qc Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 054/118] KVM: PPC: Book3S HV: Fix H_CEDE return code for nested guests Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 055/118] f2fs: fix to show norecovery mount option Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 056/118] phy: uniphier-usb3ss: Add Pro5 support Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 057/118] NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 5.4 058/118] f2fs: Fix mount failure due to SPO after a successful online resize FS Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 059/118] f2fs: Add a new CP flag to help fsck fix resize SPO issues Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 060/118] s390/cpuinfo: fix wrong output when CPU0 is offline Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 061/118] hibernate: Allow uswsusp to write to swap Greg Kroah-Hartman
2020-04-22 10:54 ` Marian Klein
2020-04-22 9:57 ` [PATCH 5.4 062/118] btrfs: add RCU locks around block group initialization Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 063/118] powerpc/prom_init: Pass the "os-term" message to hypervisor Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 064/118] powerpc/maple: Fix declaration made after definition Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 065/118] s390/cpum_sf: Fix wrong page count in error message Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 066/118] ext4: do not commit super on read-only bdev Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 067/118] um: ubd: Prevent buffer overrun on command completion Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 068/118] cifs: Allocate encryption header through kmalloc Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 069/118] mm/hugetlb: fix build failure with HUGETLB_PAGE but not HUGEBTLBFS Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 070/118] drm/nouveau/svm: check for SVM initialized before migrating Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 071/118] drm/nouveau/svm: fix vma range check for migration Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 072/118] include/linux/swapops.h: correct guards for non_swap_entry() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 073/118] percpu_counter: fix a data race at vm_committed_as Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 074/118] compiler.h: fix error in BUILD_BUG_ON() reporting Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 075/118] KVM: s390: vsie: Fix possible race when shadowing region 3 tables Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 076/118] drm/nouveau: workaround runpm fail by disabling PCI power management on certain intel bridges Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 077/118] leds: core: Fix warning message when init_data Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 078/118] x86: ACPI: fix CPU hotplug deadlock Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 079/118] csky: Fixup cpu speculative execution to IO area Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 080/118] drm/amdkfd: kfree the wrong pointer Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 081/118] NFS: Fix memory leaks in nfs_pageio_stop_mirroring() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 082/118] csky: Fixup get wrong psr value from phyical reg Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 083/118] f2fs: fix NULL pointer dereference in f2fs_write_begin() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 084/118] ACPICA: Fixes for acpiExec namespace init file Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 085/118] um: falloc.h needs to be directly included for older libc Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 086/118] drm/vc4: Fix HDMI mode validation Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 087/118] iommu/virtio: Fix freeing of incomplete domains Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 088/118] iommu/vt-d: Fix mm reference leak Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 089/118] SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 090/118] ext2: fix empty body warnings when -Wextra is used Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 091/118] iommu/vt-d: Silence RCU-list debugging warning in dmar_find_atsr() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 092/118] iommu/vt-d: Fix page request descriptor size Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 093/118] ext2: fix debug reference to ext2_xattr_cache Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 094/118] sunrpc: Fix gss_unwrap_resp_integ() again Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 095/118] csky: Fixup init_fpu compile warning with __init Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 096/118] power: supply: axp288_fuel_gauge: Broaden vendor check for Intel Compute Sticks Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 097/118] libnvdimm: Out of bounds read in __nd_ioctl() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 098/118] iommu/amd: Fix the configuration of GCR3 table root pointer Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 099/118] f2fs: fix to wait all node page writeback Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 100/118] drm/nouveau/gr/gp107,gp108: implement workaround for HW hanging during init Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 101/118] net: dsa: bcm_sf2: Fix overflow checks Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 102/118] dma-debug: fix displaying of dma allocation type Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 103/118] fbdev: potential information leak in do_fb_ioctl() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 104/118] ARM: dts: sunxi: Fix DE2 clocks register range Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 105/118] iio: si1133: read 24-bit signed integer for measurement Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 106/118] fbmem: Adjust indentation in fb_prepare_logo and fb_blank Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 107/118] tty: evh_bytechan: Fix out of bounds accesses Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 108/118] locktorture: Print ratio of acquisitions, not failures Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 109/118] mtd: rawnand: free the nand_device object Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 110/118] mtd: spinand: Explicitly use MTD_OPS_RAW to write the bad block marker to OOB Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 111/118] docs: Fix path to MTD command line partition parser Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 112/118] mtd: lpddr: Fix a double free in probe() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 113/118] mtd: phram: fix a double free issue in error path Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 114/118] KEYS: Dont write out to userspace while holding key semaphore Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 115/118] bpf: fix buggy r0 retval refinement for tracing helpers Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 116/118] bpf: Test_verifier, bpf_get_stack return value add <0 Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 117/118] bpf: Test_progs, add test to catch retval refine error handling Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 5.4 118/118] bpf, test_verifier: switch bpf_get_stacks 0 s> r8 test Greg Kroah-Hartman
2020-04-22 20:36 ` [PATCH 5.4 000/118] 5.4.35-rc1 review Guenter Roeck
2020-04-23 7:53 ` Naresh Kamboju
2020-04-23 10:22 ` Jon Hunter
2020-04-24 16:36 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422095039.855897954@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=kevin.grandemange@allegrodvt.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).