Commit 674470d9 authored by Joonyoung Shim's avatar Joonyoung Shim Committed by Linus Torvalds

lib/genalloc.c: fix overflow of ending address of memory chunk

In struct gen_pool_chunk, end_addr means the end address of memory chunk
(inclusive), but in the implementation it is treated as address + size of
memory chunk (exclusive), so it points to the address plus one instead of
correct ending address.

The ending address of memory chunk plus one will cause overflow on the
memory chunk including the last address of memory map, e.g.  when starting
address is 0xFFF00000 and size is 0x100000 on 32bit machine, ending
address will be 0x100000000.

Use correct ending address like starting address + size - 1.

[akpm@linux-foundation.org: add comment to struct gen_pool_chunk:end_addr]
Signed-off-by: default avatarJoonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent eee87e17
...@@ -66,8 +66,8 @@ struct gen_pool_chunk { ...@@ -66,8 +66,8 @@ struct gen_pool_chunk {
struct list_head next_chunk; /* next chunk in pool */ struct list_head next_chunk; /* next chunk in pool */
atomic_t avail; atomic_t avail;
phys_addr_t phys_addr; /* physical starting address of memory chunk */ phys_addr_t phys_addr; /* physical starting address of memory chunk */
unsigned long start_addr; /* starting address of memory chunk */ unsigned long start_addr; /* start address of memory chunk */
unsigned long end_addr; /* ending address of memory chunk */ unsigned long end_addr; /* end address of memory chunk (inclusive) */
unsigned long bits[0]; /* bitmap for allocating memory chunk */ unsigned long bits[0]; /* bitmap for allocating memory chunk */
}; };
......
...@@ -37,6 +37,11 @@ ...@@ -37,6 +37,11 @@
#include <linux/of_address.h> #include <linux/of_address.h>
#include <linux/of_device.h> #include <linux/of_device.h>
static inline size_t chunk_size(const struct gen_pool_chunk *chunk)
{
return chunk->end_addr - chunk->start_addr + 1;
}
static int set_bits_ll(unsigned long *addr, unsigned long mask_to_set) static int set_bits_ll(unsigned long *addr, unsigned long mask_to_set)
{ {
unsigned long val, nval; unsigned long val, nval;
...@@ -188,7 +193,7 @@ int gen_pool_add_virt(struct gen_pool *pool, unsigned long virt, phys_addr_t phy ...@@ -188,7 +193,7 @@ int gen_pool_add_virt(struct gen_pool *pool, unsigned long virt, phys_addr_t phy
chunk->phys_addr = phys; chunk->phys_addr = phys;
chunk->start_addr = virt; chunk->start_addr = virt;
chunk->end_addr = virt + size; chunk->end_addr = virt + size - 1;
atomic_set(&chunk->avail, size); atomic_set(&chunk->avail, size);
spin_lock(&pool->lock); spin_lock(&pool->lock);
...@@ -213,7 +218,7 @@ phys_addr_t gen_pool_virt_to_phys(struct gen_pool *pool, unsigned long addr) ...@@ -213,7 +218,7 @@ phys_addr_t gen_pool_virt_to_phys(struct gen_pool *pool, unsigned long addr)
rcu_read_lock(); rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) { list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
if (addr >= chunk->start_addr && addr < chunk->end_addr) { if (addr >= chunk->start_addr && addr <= chunk->end_addr) {
paddr = chunk->phys_addr + (addr - chunk->start_addr); paddr = chunk->phys_addr + (addr - chunk->start_addr);
break; break;
} }
...@@ -242,7 +247,7 @@ void gen_pool_destroy(struct gen_pool *pool) ...@@ -242,7 +247,7 @@ void gen_pool_destroy(struct gen_pool *pool)
chunk = list_entry(_chunk, struct gen_pool_chunk, next_chunk); chunk = list_entry(_chunk, struct gen_pool_chunk, next_chunk);
list_del(&chunk->next_chunk); list_del(&chunk->next_chunk);
end_bit = (chunk->end_addr - chunk->start_addr) >> order; end_bit = chunk_size(chunk) >> order;
bit = find_next_bit(chunk->bits, end_bit, 0); bit = find_next_bit(chunk->bits, end_bit, 0);
BUG_ON(bit < end_bit); BUG_ON(bit < end_bit);
...@@ -283,7 +288,7 @@ unsigned long gen_pool_alloc(struct gen_pool *pool, size_t size) ...@@ -283,7 +288,7 @@ unsigned long gen_pool_alloc(struct gen_pool *pool, size_t size)
if (size > atomic_read(&chunk->avail)) if (size > atomic_read(&chunk->avail))
continue; continue;
end_bit = (chunk->end_addr - chunk->start_addr) >> order; end_bit = chunk_size(chunk) >> order;
retry: retry:
start_bit = pool->algo(chunk->bits, end_bit, start_bit, nbits, start_bit = pool->algo(chunk->bits, end_bit, start_bit, nbits,
pool->data); pool->data);
...@@ -330,8 +335,8 @@ void gen_pool_free(struct gen_pool *pool, unsigned long addr, size_t size) ...@@ -330,8 +335,8 @@ void gen_pool_free(struct gen_pool *pool, unsigned long addr, size_t size)
nbits = (size + (1UL << order) - 1) >> order; nbits = (size + (1UL << order) - 1) >> order;
rcu_read_lock(); rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) { list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
if (addr >= chunk->start_addr && addr < chunk->end_addr) { if (addr >= chunk->start_addr && addr <= chunk->end_addr) {
BUG_ON(addr + size > chunk->end_addr); BUG_ON(addr + size - 1 > chunk->end_addr);
start_bit = (addr - chunk->start_addr) >> order; start_bit = (addr - chunk->start_addr) >> order;
remain = bitmap_clear_ll(chunk->bits, start_bit, nbits); remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
BUG_ON(remain); BUG_ON(remain);
...@@ -400,7 +405,7 @@ size_t gen_pool_size(struct gen_pool *pool) ...@@ -400,7 +405,7 @@ size_t gen_pool_size(struct gen_pool *pool)
rcu_read_lock(); rcu_read_lock();
list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
size += chunk->end_addr - chunk->start_addr; size += chunk_size(chunk);
rcu_read_unlock(); rcu_read_unlock();
return size; return size;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment