Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8d96544475b236a0f319e492f4828aa8c0801c7f
Commit:     8d96544475b236a0f319e492f4828aa8c0801c7f
Parent:     f16f3026db6fa63cbb0f4a37833562aa999c93e5
Author:     Eric Dumazet <[EMAIL PROTECTED]>
AuthorDate: Sun Jan 13 22:31:44 2008 -0800
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Mon Jan 28 15:02:04 2008 -0800

    [FIB]: full_children & empty_children should be uint, not ushort
    
    If declared as unsigned short, these fields can overflow, and whole
    trie logic is broken. I could not make the machine crash, but some
    tnode can never be freed.
    
    Note for 64 bit arches : By reordering t_key and parent in [node,
    leaf, tnode] structures, we can use 32 bits hole after t_key so that
    sizeof(struct tnode) doesnt change after this patch.
    
    Signed-off-by: Eric Dumazet <[EMAIL PROTECTED]>
    Signed-off-by: Robert Olsson <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/ipv4/fib_trie.c |   25 ++++++++++++-------------
 1 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index da6681d..18fb739 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -97,13 +97,13 @@ typedef unsigned int t_key;
 #define IS_LEAF(n) (n->parent & T_LEAF)
 
 struct node {
-       t_key key;
        unsigned long parent;
+       t_key key;
 };
 
 struct leaf {
-       t_key key;
        unsigned long parent;
+       t_key key;
        struct hlist_head list;
        struct rcu_head rcu;
 };
@@ -116,12 +116,12 @@ struct leaf_info {
 };
 
 struct tnode {
-       t_key key;
        unsigned long parent;
+       t_key key;
        unsigned char pos;              /* 2log(KEYLENGTH) bits needed */
        unsigned char bits;             /* 2log(KEYLENGTH) bits needed */
-       unsigned short full_children;   /* KEYLENGTH bits needed */
-       unsigned short empty_children;  /* KEYLENGTH bits needed */
+       unsigned int full_children;     /* KEYLENGTH bits needed */
+       unsigned int empty_children;    /* KEYLENGTH bits needed */
        struct rcu_head rcu;
        struct node *child[0];
 };
@@ -329,12 +329,12 @@ static inline void free_leaf_info(struct leaf_info *leaf)
        call_rcu(&leaf->rcu, __leaf_info_free_rcu);
 }
 
-static struct tnode *tnode_alloc(unsigned int size)
+static struct tnode *tnode_alloc(size_t size)
 {
        struct page *pages;
 
        if (size <= PAGE_SIZE)
-               return kcalloc(size, 1, GFP_KERNEL);
+               return kzalloc(size, GFP_KERNEL);
 
        pages = alloc_pages(GFP_KERNEL|__GFP_ZERO, get_order(size));
        if (!pages)
@@ -346,8 +346,8 @@ static struct tnode *tnode_alloc(unsigned int size)
 static void __tnode_free_rcu(struct rcu_head *head)
 {
        struct tnode *tn = container_of(head, struct tnode, rcu);
-       unsigned int size = sizeof(struct tnode) +
-               (1 << tn->bits) * sizeof(struct node *);
+       size_t size = sizeof(struct tnode) +
+                     (sizeof(struct node *) << tn->bits);
 
        if (size <= PAGE_SIZE)
                kfree(tn);
@@ -386,8 +386,7 @@ static struct leaf_info *leaf_info_new(int plen)
 
 static struct tnode* tnode_new(t_key key, int pos, int bits)
 {
-       int nchildren = 1<<bits;
-       int sz = sizeof(struct tnode) + nchildren * sizeof(struct node *);
+       size_t sz = sizeof(struct tnode) + (sizeof(struct node *) << bits);
        struct tnode *tn = tnode_alloc(sz);
 
        if (tn) {
@@ -399,8 +398,8 @@ static struct tnode* tnode_new(t_key key, int pos, int bits)
                tn->empty_children = 1<<bits;
        }
 
-       pr_debug("AT %p s=%u %u\n", tn, (unsigned int) sizeof(struct tnode),
-                (unsigned int) (sizeof(struct node) * 1<<bits));
+       pr_debug("AT %p s=%u %lu\n", tn, (unsigned int) sizeof(struct tnode),
+                (unsigned long) (sizeof(struct node) << bits));
        return tn;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to