1
linux/drivers
Roland Dreier 8079ffa0e1 IB/umem: Avoid sign problems when demoting npages to integer
On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely

	min_t(int, npages, PAGE_SIZE / sizeof (struct page *))

will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
since the code boils down to:

	while (npages) {
		ret = get_user_pages(...);
		npages -= ret;
	}

Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.

The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief.  But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.

Cc: <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
2008-06-06 21:38:37 -07:00
..
accessibility
acorn/char
acpi acpi: fix integer as NULL pointer warning 2008-05-23 08:11:06 -07:00
amba
ata libata: fix G5 SATA broken on -rc5 2008-06-05 08:36:37 -07:00
atm drivers/atm/: remove CVS keywords 2008-05-20 14:52:25 -07:00
auxdisplay
base driver-core: prepare for 2.6.27 api change by adding dev_set_name 2008-05-29 21:10:01 -07:00
block Add 'rd' alias to new brd ramdisk driver 2008-06-05 14:23:12 -07:00
bluetooth
cdrom [POWERPC] iSeries: Remove unused mail address 2008-05-23 16:45:04 +10:00
char ipwireless: Fix blocked sending 2008-06-06 11:31:02 -07:00
clocksource
connector
cpufreq cpufreq: fix null object access on Transmeta CPU 2008-06-06 11:29:11 -07:00
cpuidle
crypto
dca
dio
dma iop-adma: fixup some kzalloc/memset confusions 2008-05-20 13:51:20 -07:00
edac edac: mpc85xx: fix building as a module 2008-05-24 09:56:13 -07:00
eisa
firewire firewire: prevent userspace from accessing shut down devices 2008-05-20 18:24:17 +02:00
firmware edd: fix incorrect return of 1 from module_init 2008-06-06 11:29:09 -07:00
gpio gpiolib: fix off by one errors 2008-05-24 09:56:11 -07:00
hid HID: remove CVS keywords 2008-05-20 16:44:43 +02:00
hwmon hdaps: fix module loading on Thinkpad T61P 2008-06-06 11:29:13 -07:00
i2c i2c/max6875: Really prevent 24RF08 corruption 2008-05-18 20:49:41 +02:00
ide ide: fix race in device_create 2008-05-20 13:31:54 -07:00
ieee1394 ieee1394: sbp2: use correct size of command descriptor block 2008-05-20 18:24:17 +02:00
infiniband IB/umem: Avoid sign problems when demoting npages to integer 2008-06-06 21:38:37 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2008-05-30 10:17:19 -07:00
isdn isdn: fix integer as NULL pointer warning 2008-05-23 08:11:06 -07:00
leds LEDS: fix race in device_create 2008-05-20 13:31:55 -07:00
lguest virtio: set device index in common code. 2008-05-30 15:09:42 +10:00
macintosh [POWERPC] macintosh: Replace deprecated __initcall with device_initcall 2008-05-15 20:50:00 +10:00
mca
md md: do not compute parity unless it is on a failed drive 2008-06-06 11:29:08 -07:00
media V4L/DVB (8001): dib0070: fix dib0070_attach when !CONFIG_DVB_TUNER_DIB0070 2008-06-05 10:26:21 -03:00
memstick
message [SCSI] fusion mpt: fix target missing after resetting external raid 2008-05-27 10:58:09 -05:00
mfd HTC_EGPIO is ARM-only 2008-05-21 16:56:00 -07:00
misc fujitsu-laptop: autoload module on Lifebook P1510D 2008-06-06 11:29:09 -07:00
mmc mmc: Fix crash in mmc_block on 64-bit 2008-06-05 16:14:17 -07:00
mtd Merge git://git.infradead.org/~dwmw2/mtd-2.6.26 2008-06-06 11:31:18 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-06-04 17:39:33 -07:00
nubus
of rtc-ds1374: rename device to just "ds1374" 2008-06-06 11:29:10 -07:00
oprofile oprofile: don't request cache line alignment for cpu_buffer 2008-05-14 19:11:12 -07:00
parisc drivers/parisc: replace remaining __FUNCTION__ occurrences 2008-05-15 10:38:54 -04:00
parport
pci PCI: fix rpadlpar pci hotplug driver sysfs usage 2008-05-30 09:50:46 -07:00
pcmcia electra_cf: Add MODULE_DEVICE_TABLE() 2008-05-27 16:07:45 -05:00
pnp PNP: skip UNSET MEM resources as well as DISABLED ones 2008-06-05 10:30:37 -07:00
power Power Supply: fix race in device_create 2008-05-20 13:31:55 -07:00
ps3
rapidio
rtc rtc: class driver for ppc_md RTC functions 2008-06-06 11:29:13 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus 2008-05-30 10:20:03 -07:00
sbus sbus bpp: instances missed in s/dev_name/bpp_dev_name/ 2008-05-21 16:55:59 -07:00
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 2008-06-04 08:36:09 -07:00
serial atmel_serial: filter out FP during baud rate detection 2008-06-06 11:29:12 -07:00
sh
sn
spi spi: fix refcount-related spidev oops-on-rmmod 2008-06-06 11:29:08 -07:00
ssb ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable 2008-06-04 15:57:10 -04:00
tc
telephony
thermal
uio UIO: fix race in device_create 2008-05-20 13:31:55 -07:00
usb isp1760-if iomem annotations 2008-06-04 08:06:01 -07:00
video fbdev: export symbol fb_mode_option 2008-06-06 11:29:12 -07:00
virtio virtio: force callback on empty. 2008-05-30 15:09:46 +10:00
w1
watchdog drivers/watchdog/geodewdt.c: build fix 2008-05-30 10:16:58 -07:00
xen
zorro
Kconfig
Makefile