[bug report] habanalabs: add virtual memory and MMU modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Omer Shpigelman,

The patch 0feaf86d4e69: "habanalabs: add virtual memory and MMU
modules" from Feb 16, 2019, leads to the following static checker
warning:

	drivers/misc/habanalabs/memory.c:96 alloc_device_memory()
	warn: integer overflows '(args->alloc.mem_size + (page_size - 1)) >> page_shift'

drivers/misc/habanalabs/memory.c
    53 static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args,
    54 				u32 *ret_handle)
    55 {
    56 	struct hl_device *hdev = ctx->hdev;
    57 	struct hl_vm *vm = &hdev->vm;
    58 	struct hl_vm_phys_pg_pack *phys_pg_pack;
    59 	u64 paddr = 0;
    60 	u32 total_size, num_pgs, num_curr_pgs, page_size, page_shift;
    61 	int handle, rc, i;
    62 	bool contiguous;
    63 
    64 	num_curr_pgs = 0;
    65 	page_size = hdev->asic_prop.dram_page_size;
    66 	page_shift = __ffs(page_size);
    67 	num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This addition can have an integer overflow.  mem_size is a u64 that
comes from the user in the IOCTL.  Also num_pgs is a u32 so it can't
hold mem_size / 4096.

    68 	total_size = num_pgs << page_shift;
                     ^^^^^^^^^^^^^^^^^^^^^
So can this shift.  total_size is u32.

    69 
    70 	contiguous = args->flags & HL_MEM_CONTIGUOUS;
    71 
    72 	if (contiguous) {
    73 		paddr = (u64) gen_pool_alloc(vm->dram_pg_pool, total_size);
    74 		if (!paddr) {
    75 			dev_err(hdev->dev,
    76 				"failed to allocate %u huge contiguous pages\n",
    77 				num_pgs);
    78 			return -ENOMEM;
    79 		}
    80 	}
    81 
    82 	phys_pg_pack = kzalloc(sizeof(*phys_pg_pack), GFP_KERNEL);
    83 	if (!phys_pg_pack) {
    84 		rc = -ENOMEM;
    85 		goto pages_pack_err;
    86 	}
    87 
    88 	phys_pg_pack->vm_type = VM_TYPE_PHYS_PACK;
    89 	phys_pg_pack->asid = ctx->asid;
    90 	phys_pg_pack->npages = num_pgs;
    91 	phys_pg_pack->page_size = page_size;
    92 	phys_pg_pack->total_size = total_size;
    93 	phys_pg_pack->flags = args->flags;
    94 	phys_pg_pack->contiguous = contiguous;
    95 
--> 96 	phys_pg_pack->pages = kcalloc(num_pgs, sizeof(u64), GFP_KERNEL);
                                      ^^^^^^^
We allocate less memory than intended.

    97 	if (!phys_pg_pack->pages) {
    98 		rc = -ENOMEM;
    99 		goto pages_arr_err;
    100 	}
    101 
    102 	if (phys_pg_pack->contiguous) {
    103 		for (i = 0 ; i < num_pgs ; i++)
    104 			phys_pg_pack->pages[i] = paddr + i * page_size;
    105 	} else {


regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux