On 10/30/18 8:26 AM, Keith Busch wrote:
> On Mon, Oct 29, 2018 at 10:37:35AM -0600, Jens Axboe wrote:
>> diff --git a/kernel/irq/affinity.c b/kernel/irq/affinity.c
>> index f4f29b9d90ee..2046a0f0f0f1 100644
>> --- a/kernel/irq/affinity.c
>> +++ b/kernel/irq/affinity.c
>> @@ -180,6 +180,7 @@ irq_create_affinity_masks(int nvecs, const struct irq_affinity *affd)
>> int curvec, usedvecs;
>> cpumask_var_t nmsk, npresmsk, *node_to_cpumask;
>> struct cpumask *masks = NULL;
>> + int i, nr_sets;
>>
>> /*
>> * If there aren't any vectors left after applying the pre/post
>> @@ -210,10 +211,23 @@ irq_create_affinity_masks(int nvecs, const struct irq_affinity *affd)
>> get_online_cpus();
>> build_node_to_cpumask(node_to_cpumask);
>>
>> - /* Spread on present CPUs starting from affd->pre_vectors */
>> - usedvecs = irq_build_affinity_masks(affd, curvec, affvecs,
>> - node_to_cpumask, cpu_present_mask,
>> - nmsk, masks);
>> + /*
>> + * Spread on present CPUs starting from affd->pre_vectors. If we
>> + * have multiple sets, build each sets affinity mask separately.
>> + */
>> + nr_sets = affd->nr_sets;
>> + if (!nr_sets)
>> + nr_sets = 1;
>> +
>> + for (i = 0, usedvecs = 0; i < nr_sets; i++) {
>> + int this_vecs = affd->sets ? affd->sets[i] : affvecs;
>> + int nr;
>> +
>> + nr = irq_build_affinity_masks(affd, curvec, this_vecs,
>> + node_to_cpumask, cpu_present_mask,
>> + nmsk, masks + usedvecs);
>> + usedvecs += nr;
>> + }
>
>
> While the code below returns the appropriate number of possible vectors
> when a set requested too many, the above code is still using the value
> from the set, which may exceed 'nvecs' used to kcalloc 'masks', so
> 'masks + usedvecs' may go out of bounds.
How so? nvecs must the max number of vecs, the sum of the sets can't
exceed that value.
--
Jens Axboe
