[PATCH] ALSA: core: fix unsigned int pages overflow when comapred

From: He, Bo
Date: Wed Jul 18 2018 - 07:53:00 EST


we see the below kernel panic on stress suspend resume test in
snd_malloc_sgbuf_pages(), snd_dma_alloc_pages_fallback() alloc
chunk maybe larger than the left pages due to the pages alignment,
which will cause the pages overflow.

while (pages > 0) {
...
pages -= chunk;
}

the patch is change the pages from unsigned int to int to fix the issue.

BUG: unable to handle kernel paging request at ffff88000deb4000
IP: [<ffffffff81404fa9>] memset_erms+0x9/0x10
Call Trace:
[<ffffffff818f222f>] snd_dma_alloc_pages+0xff/0x210
[<ffffffff818f23af>] snd_dma_alloc_pages_fallback+0x6f/0x90
[<ffffffff818f2b85>] snd_malloc_sgbuf_pages+0x145/0x370
[<ffffffff818f229e>] snd_dma_alloc_pages+0x16e/0x210
[<ffffffffc011930d>] hdac_ext_dma_alloc_pages+0x1d/0x40 [snd_hda_ext_core]
[<ffffffffc010729a>] snd_hdac_dsp_prepare+0xca/0x1c0 [snd_hda_core]
[<ffffffffc01880f9>] skl_dsp_prepare+0x99/0xf0 [snd_soc_skl]
[<ffffffffc0162a7e>] bxt_load_base_firmware+0x9e/0x5c0 [snd_soc_skl_ipc]
[<ffffffffc01630ec>] bxt_set_dsp_D0+0x14c/0x300 [snd_soc_skl_ipc]
[<ffffffffc015f9c3>] skl_dsp_get_core+0x43/0xd0 [snd_soc_skl_ipc]
[<ffffffffc015fa60>] skl_dsp_wake+0x10/0x20 [snd_soc_skl_ipc]
[<ffffffffc0188e3e>] skl_resume_dsp+0x7e/0x140 [snd_soc_skl]
[<ffffffffc0183c4a>] skl_resume+0xda/0x170 [snd_soc_skl]
[<ffffffff81452726>] pci_pm_resume+0x76/0xe0
[<ffffffff816616da>] dpm_run_callback+0x5a/0x180
[<ffffffff81661e3c>] device_resume+0xdc/0x2c0
[<ffffffff81663818>] dpm_resume+0x118/0x310
[<ffffffff81663e11>] dpm_resume_end+0x11/0x20
[<ffffffff810f8bcc>] suspend_devices_and_enter+0x11c/0x2b0
[<ffffffff810f90bd>] pm_suspend+0x35d/0x3d0
[<ffffffff810f78a6>] state_store+0x66/0x90
[<ffffffff813f80e2>] kobj_attr_store+0x12/0x20
[<ffffffff812a37bc>] sysfs_kf_write+0x3c/0x50
[<ffffffff812a2cbd>] kernfs_fop_write+0x11d/0x1a0
[<ffffffff8121dfaa>] __vfs_write+0x3a/0x150
[<ffffffff8121f2b1>] vfs_write+0xb1/0x1a0
[<ffffffff81220898>] SyS_write+0x58/0xc0
[<ffffffff81001fca>] do_syscall_64+0x6a/0xe0
[<ffffffff81b06560>] entry_SYSCALL_64_after_swapgs+0x5d/0xd7

Signed-off-by: he, bo <bo.he@xxxxxxxxx>
Signed-off-by: zhang jun <jun.zhang@xxxxxxxxx>
---
sound/core/sgbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/core/sgbuf.c b/sound/core/sgbuf.c
index 84fffab..33449ee 100644
--- a/sound/core/sgbuf.c
+++ b/sound/core/sgbuf.c
@@ -68,7 +68,8 @@ void *snd_malloc_sgbuf_pages(struct device *device,
size_t *res_size)
{
struct snd_sg_buf *sgbuf;
- unsigned int i, pages, chunk, maxpages;
+ unsigned int i, chunk, maxpages;
+ int pages;
struct snd_dma_buffer tmpb;
struct snd_sg_page *table;
struct page **pgtable;
--
2.7.4