Re: [PATCH][next] mm: selftests: fix potential integer overflow on shift of a int

From: Jason Gunthorpe
Date: Wed May 26 2021 - 12:49:43 EST


On Wed, May 26, 2021 at 04:09:47PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> The left shift of the int mapped is evaluated using 32 bit arithmetic
> and then assigned to an unsigned long. In the case where mapped is
> 0x80000 when PAGE_SHIFT is 12 will lead to the upper bits being
> sign extended in the unsigned long. Larger values can lead to an
> int overflow. Avoid this by casting mapped to unsigned long before
> shifting.
>
> Addresses-Coverity: ("Uninitentional integer overflow")
> Fixes: 8b2a105c3794 ("mm: selftests for exclusive device memory")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> lib/test_hmm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/test_hmm.c b/lib/test_hmm.c
> index 74d69f87691e..b54657701b3a 100644
> +++ b/lib/test_hmm.c
> @@ -749,7 +749,7 @@ static int dmirror_exclusive(struct dmirror *dmirror,
> }
> }
>
> - if (addr + (mapped << PAGE_SHIFT) < next) {
> + if (addr + ((unsigned int)mapped << PAGE_SHIFT) < next) {

Just fix the type for mapped. It started out as an unsigned long in
dmirror_atomic_map() and wrongly became an int here

Jason