Commit 8d965444 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

[FIB]: full_children & empty_children should be uint, not ushort

If declared as unsigned short, these fields can overflow, and whole
trie logic is broken. I could not make the machine crash, but some
tnode can never be freed.

Note for 64 bit arches : By reordering t_key and parent in [node,
leaf, tnode] structures, we can use 32 bits hole after t_key so that
sizeof(struct tnode) doesnt change after this patch.
Signed-off-by: default avatarEric Dumazet <dada1@cosmosbay.com>
Signed-off-by: default avatarRobert Olsson <robert.olsson@its.uu.se>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f16f3026
...@@ -97,13 +97,13 @@ typedef unsigned int t_key; ...@@ -97,13 +97,13 @@ typedef unsigned int t_key;
#define IS_LEAF(n) (n->parent & T_LEAF) #define IS_LEAF(n) (n->parent & T_LEAF)
struct node { struct node {
t_key key;
unsigned long parent; unsigned long parent;
t_key key;
}; };
struct leaf { struct leaf {
t_key key;
unsigned long parent; unsigned long parent;
t_key key;
struct hlist_head list; struct hlist_head list;
struct rcu_head rcu; struct rcu_head rcu;
}; };
...@@ -116,12 +116,12 @@ struct leaf_info { ...@@ -116,12 +116,12 @@ struct leaf_info {
}; };
struct tnode { struct tnode {
t_key key;
unsigned long parent; unsigned long parent;
t_key key;
unsigned char pos; /* 2log(KEYLENGTH) bits needed */ unsigned char pos; /* 2log(KEYLENGTH) bits needed */
unsigned char bits; /* 2log(KEYLENGTH) bits needed */ unsigned char bits; /* 2log(KEYLENGTH) bits needed */
unsigned short full_children; /* KEYLENGTH bits needed */ unsigned int full_children; /* KEYLENGTH bits needed */
unsigned short empty_children; /* KEYLENGTH bits needed */ unsigned int empty_children; /* KEYLENGTH bits needed */
struct rcu_head rcu; struct rcu_head rcu;
struct node *child[0]; struct node *child[0];
}; };
...@@ -329,12 +329,12 @@ static inline void free_leaf_info(struct leaf_info *leaf) ...@@ -329,12 +329,12 @@ static inline void free_leaf_info(struct leaf_info *leaf)
call_rcu(&leaf->rcu, __leaf_info_free_rcu); call_rcu(&leaf->rcu, __leaf_info_free_rcu);
} }
static struct tnode *tnode_alloc(unsigned int size) static struct tnode *tnode_alloc(size_t size)
{ {
struct page *pages; struct page *pages;
if (size <= PAGE_SIZE) if (size <= PAGE_SIZE)
return kcalloc(size, 1, GFP_KERNEL); return kzalloc(size, GFP_KERNEL);
pages = alloc_pages(GFP_KERNEL|__GFP_ZERO, get_order(size)); pages = alloc_pages(GFP_KERNEL|__GFP_ZERO, get_order(size));
if (!pages) if (!pages)
...@@ -346,8 +346,8 @@ static struct tnode *tnode_alloc(unsigned int size) ...@@ -346,8 +346,8 @@ static struct tnode *tnode_alloc(unsigned int size)
static void __tnode_free_rcu(struct rcu_head *head) static void __tnode_free_rcu(struct rcu_head *head)
{ {
struct tnode *tn = container_of(head, struct tnode, rcu); struct tnode *tn = container_of(head, struct tnode, rcu);
unsigned int size = sizeof(struct tnode) + size_t size = sizeof(struct tnode) +
(1 << tn->bits) * sizeof(struct node *); (sizeof(struct node *) << tn->bits);
if (size <= PAGE_SIZE) if (size <= PAGE_SIZE)
kfree(tn); kfree(tn);
...@@ -386,8 +386,7 @@ static struct leaf_info *leaf_info_new(int plen) ...@@ -386,8 +386,7 @@ static struct leaf_info *leaf_info_new(int plen)
static struct tnode* tnode_new(t_key key, int pos, int bits) static struct tnode* tnode_new(t_key key, int pos, int bits)
{ {
int nchildren = 1<<bits; size_t sz = sizeof(struct tnode) + (sizeof(struct node *) << bits);
int sz = sizeof(struct tnode) + nchildren * sizeof(struct node *);
struct tnode *tn = tnode_alloc(sz); struct tnode *tn = tnode_alloc(sz);
if (tn) { if (tn) {
...@@ -399,8 +398,8 @@ static struct tnode* tnode_new(t_key key, int pos, int bits) ...@@ -399,8 +398,8 @@ static struct tnode* tnode_new(t_key key, int pos, int bits)
tn->empty_children = 1<<bits; tn->empty_children = 1<<bits;
} }
pr_debug("AT %p s=%u %u\n", tn, (unsigned int) sizeof(struct tnode), pr_debug("AT %p s=%u %lu\n", tn, (unsigned int) sizeof(struct tnode),
(unsigned int) (sizeof(struct node) * 1<<bits)); (unsigned long) (sizeof(struct node) << bits));
return tn; return tn;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment