[PATCH 5.5 028/399] PCI: Fix pci_add_dma_alias() bitmask size

From: Greg Kroah-Hartman
Date: Fri Feb 21 2020 - 02:44:38 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.5 003/399] net/smc: fix leak of kernel memory to user space"
Previous message: Greg Kroah-Hartman: "[PATCH 5.5 026/399] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.5 026/399] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.5 003/399] net/smc: fix leak of kernel memory to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Sewart <jamessewart@xxxxxxxxxx>

[ Upstream commit f8bf2aeb651b3460a4b36fd7ba1ba1d31777d35c ]

The number of possible devfns is 256, but pci_add_dma_alias() allocated a
bitmap of size 255. Fix this off-by-one error.

This fixes commits 338c3149a221 ("PCI: Add support for multiple DMA
aliases") and c6635792737b ("PCI: Allocate dma_alias_mask with
bitmap_zalloc()"), but I doubt it was possible to see a problem because
it takes 4 64-bit longs (or 8 32-bit longs) to hold 255 bits, and
bitmap_zalloc() doesn't save the 255-bit size anywhere.

[bhelgaas: commit log, move #define to drivers/pci/pci.h, include loop
limit fix from Qian Cai:
https://lore.kernel.org/r/20191218170004.5297-1-cai@xxxxxx]
Signed-off-by: James Sewart <jamessewart@xxxxxxxxxx>
Signed-off-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
Reviewed-by: Logan Gunthorpe <logang@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/pci/pci.c | 2 +-
drivers/pci/pci.h | 3 +++
drivers/pci/search.c | 4 ++--
3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index e87196cc1a7fb..7b5fa2eabe095 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -6017,7 +6017,7 @@ EXPORT_SYMBOL_GPL(pci_pr3_present);
void pci_add_dma_alias(struct pci_dev *dev, u8 devfn)
{
if (!dev->dma_alias_mask)
- dev->dma_alias_mask = bitmap_zalloc(U8_MAX, GFP_KERNEL);
+ dev->dma_alias_mask = bitmap_zalloc(MAX_NR_DEVFNS, GFP_KERNEL);
if (!dev->dma_alias_mask) {
pci_warn(dev, "Unable to allocate DMA alias mask\n");
return;
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index a0a53bd05a0b8..6394e7746fb54 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -4,6 +4,9 @@

#include <linux/pci.h>

+/* Number of possible devfns: 0.0 to 1f.7 inclusive */
+#define MAX_NR_DEVFNS 256
+
#define PCI_FIND_CAP_TTL 48

#define PCI_VSEC_ID_INTEL_TBT 0x1234 /* Thunderbolt */
diff --git a/drivers/pci/search.c b/drivers/pci/search.c
index bade14002fd8a..e4dbdef5aef05 100644
--- a/drivers/pci/search.c
+++ b/drivers/pci/search.c
@@ -41,9 +41,9 @@ int pci_for_each_dma_alias(struct pci_dev *pdev,
* DMA, iterate over that too.
*/
if (unlikely(pdev->dma_alias_mask)) {
- u8 devfn;
+ unsigned int devfn;

- for_each_set_bit(devfn, pdev->dma_alias_mask, U8_MAX) {
+ for_each_set_bit(devfn, pdev->dma_alias_mask, MAX_NR_DEVFNS) {
ret = fn(pdev, PCI_DEVID(pdev->bus->number, devfn),
data);
if (ret)
--
2.20.1

Next message: Greg Kroah-Hartman: "[PATCH 5.5 003/399] net/smc: fix leak of kernel memory to user space"
Previous message: Greg Kroah-Hartman: "[PATCH 5.5 026/399] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.5 026/399] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.5 003/399] net/smc: fix leak of kernel memory to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]