linux-sg2042/drivers/infiniband/core
Roland Dreier 8079ffa0e1 IB/umem: Avoid sign problems when demoting npages to integer
On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely

	min_t(int, npages, PAGE_SIZE / sizeof (struct page *))

will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
since the code boils down to:

	while (npages) {
		ret = get_user_pages(...);
		npages -= ret;
	}

Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.

The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief.  But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.

Cc: <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
2008-06-06 21:38:37 -07:00
..
Makefile IB/uverbs: Export ib_umem_get()/ib_umem_release() to modules 2007-05-08 18:00:37 -07:00
addr.c trivial endianness annotations: infiniband core 2008-03-30 14:20:24 -07:00
agent.c IB/mad: agent_send_response() should be void 2007-08-03 10:45:17 -07:00
agent.h IB/mad: agent_send_response() should be void 2007-08-03 10:45:17 -07:00
cache.c Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
cm.c IB/cm: Endianness annotations 2008-04-16 21:01:07 -07:00
cm_msgs.h IB/cm: cm_msgs.h should include ib_cm.h 2007-07-10 21:50:53 -07:00
cma.c RDMA/iwcm: Test rdma_create_id() for IS_ERR rather than 0 2008-04-16 21:09:25 -07:00
core_priv.h [PATCH] IB: move include files to include/rdma 2005-08-26 20:37:38 -07:00
device.c IB: find_first_zero_bit() takes unsigned pointer 2007-10-09 19:59:04 -07:00
fmr_pool.c IB: Use shorter list_splice_init() for brevity 2008-04-16 21:09:26 -07:00
iwcm.c RDMA/iwcm: Don't access a cm_id after dropping reference 2008-03-10 21:22:22 -07:00
iwcm.h RDMA: iWARP Connection Manager. 2006-09-22 15:22:46 -07:00
mad.c IB/mad: Fix kernel crash when .process_mad() returns SUCCESS|CONSUMED 2008-05-23 10:52:59 -07:00
mad_priv.h IB/mad: Report number of times a mad was retried 2008-01-25 14:15:30 -08:00
mad_rmpp.c IB/mad: Report number of times a mad was retried 2008-01-25 14:15:30 -08:00
mad_rmpp.h [IB] Fix MAD layer DMA mappings to avoid touching data buffer once mapped 2005-10-25 10:51:39 -07:00
multicast.c IB/multicast: Report errors on multicast groups if P_key changes 2008-01-25 14:15:29 -08:00
packer.c [PATCH] fix remaining missing includes 2005-11-07 07:53:41 -08:00
sa.h IB: Remove garbage non-ASCII characters from comments 2007-07-09 16:17:32 -07:00
sa_query.c IB/sa: Add new QoS fields to path record 2007-10-09 19:59:12 -07:00
smi.c IB/mad: Enhance SMI for switch support 2007-07-09 16:17:32 -07:00
smi.h IB/mad: Enable loopback of DR SMP responses from userspace 2008-01-25 14:15:25 -08:00
sysfs.c IB: convert struct class_device to struct device 2008-04-19 19:10:30 -07:00
ucm.c IB: convert struct class_device to struct device 2008-04-19 19:10:30 -07:00
ucma.c RDMA/ucma: Endian annotation 2008-04-16 21:01:07 -07:00
ud_header.c [PATCH] fix remaining missing includes 2005-11-07 07:53:41 -08:00
umem.c IB/umem: Avoid sign problems when demoting npages to integer 2008-06-06 21:38:37 -07:00
user_mad.c IB: fix race in device_create 2008-05-20 13:31:55 -07:00
uverbs.h IB: convert struct class_device to struct device 2008-04-19 19:10:30 -07:00
uverbs_cmd.c IB/core: Add support for "send with invalidate" work requests 2008-04-16 21:09:32 -07:00
uverbs_main.c IB: fix race in device_create 2008-05-20 13:31:55 -07:00
uverbs_marshall.c RDMA/cma: Export rdma cm interface to userspace 2006-12-12 11:50:22 -08:00
verbs.c IB/core: Add support for modify CQ 2008-04-16 21:09:33 -07:00