From patchwork Fri Oct 29 01:40:55 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Grover <andy.grover@oracle.com>
X-Patchwork-Id: 69540
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 67657B70DF
	for <patchwork-incoming@ozlabs.org>;
	Fri, 29 Oct 2010 12:42:40 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759087Ab0J2Bmh (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 28 Oct 2010 21:42:37 -0400
Received: from rcsinet10.oracle.com ([148.87.113.121]:44289 "EHLO
	rcsinet10.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755651Ab0J2Bmf (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 28 Oct 2010 21:42:35 -0400
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117])
	by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id
	o9T1ftfK030894
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Fri, 29 Oct 2010 01:41:57 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com [141.146.40.153])
	by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id
	o9T0wPRt011204; Fri, 29 Oct 2010 01:41:55 GMT
Received: from abhmt012.oracle.com by acsmt355.oracle.com
	with ESMTP id 732721841288316481; Thu, 28 Oct 2010 18:41:21 -0700
Received: from lute.us.oracle.com (/139.185.48.5)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Thu, 28 Oct 2010 18:41:20 -0700
From: Andy Grover <andy.grover@oracle.com>
To: netdev@vger.kernel.org
Cc: rds-devel@oss.oracle.com, Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 1/5] net: fix rds_iovec page count overflow
Date: Thu, 28 Oct 2010 18:40:55 -0700
Message-Id: <1288316459-4679-2-git-send-email-andy.grover@oracle.com>
X-Mailer: git-send-email 1.7.1
In-Reply-To: <1288316459-4679-1-git-send-email-andy.grover@oracle.com>
References: <1288316459-4679-1-git-send-email-andy.grover@oracle.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Linus Torvalds <torvalds@linux-foundation.org>

As reported by Thomas Pollet, the rdma page counting can overflow.  We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andy Grover <andy.grover@oracle.com>
---
 net/rds/rdma.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 1a41deb..0df02c8 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -502,6 +502,13 @@ static int rds_rdma_pages(struct rds_rdma_args *args)
 			return -EINVAL;
 
 		tot_pages += nr_pages;
+
+		/*
+		 * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
+		 * so tot_pages cannot overflow without first going negative.
+		 */
+		if ((int)tot_pages < 0)
+			return -EINVAL;
 	}
 
 	return tot_pages;