Re: [PATCH] dma: fix up broken comparison indma_alloc_from_coherent

From: Andrew Morton
Date: Tue Jan 27 2009 - 16:49:22 EST

Next message: Eric W. Biederman: "[PATCH 2/2] seq_file: Properly cope with pread"
Previous message: Eric W. Biederman: "[PATCH 1/2] seq_file: Move traverse so it can be used from seq_read"
Next in thread: Paul Mundt: "Re: [PATCH] dma: fix up broken comparison in dma_alloc_from_coherent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 21 Jan 2009 17:11:19 +0900
Paul Mundt <lethal@xxxxxxxxxxxx> wrote:

> @@ -118,31 +118,32 @@ int dma_alloc_from_coherent(struct device *dev, ssize_t size,
> mem = dev->dma_mem;
> if (!mem)
> return 0;
> - if (unlikely(size > mem->size))
> - return 0;
> +
> + *ret = NULL;
> +
> + if (unlikely(size > (mem->size << PAGE_SHIFT)))
> + goto err;

Looks a bit broken on 64-bit.

`size' is ssize_t (long).

`mem->size' is `int'.

The left shift can overflow and cause badnesses.

> + *dma_handle = mem->device_base + (pageno << PAGE_SHIFT);
> + *ret = mem->virt_base + (pageno << PAGE_SHIFT);

Ditto.

Maybe it's a can't-happen (why?), but...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "[PATCH 2/2] seq_file: Properly cope with pread"
Previous message: Eric W. Biederman: "[PATCH 1/2] seq_file: Move traverse so it can be used from seq_read"
Next in thread: Paul Mundt: "Re: [PATCH] dma: fix up broken comparison in dma_alloc_from_coherent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]