2.6.32-longterm review patch. If anyone has any objections, please let us know.
------------------ From: Linus Torvalds <[email protected]> commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream. As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of tot_pages turning negative, and return the appropriate error code. Reported-by: Thomas Pollet <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Andy Grover <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- net/rds/rdma.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -473,6 +473,14 @@ static struct rds_rdma_op *rds_rdma_prep max_pages = max(nr, max_pages); nr_pages += nr; + + /* + * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1, + * so tot_pages cannot overflow without first going negative. + */ + if ((int)nr_pages < 0) + ret = -EINVAL; + goto out; } pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL); _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
