On Thu, 20 Dec 2012, Andrew Morton wrote:
> > Specifying negative size of buffer makes no sense and thus this commit
> > changes the type of the count argument to unsigned.
> >
> > --- a/arch/arm/mm/dma-mapping.c
> > +++ b/arch/arm/mm/dma-mapping.c
> > @@ -1038,9 +1038,9 @@ static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
> > gfp_t gfp, struct dma_attrs *attrs)
> > {
> > struct page **pages;
> > - int count = size >> PAGE_SHIFT;
> > - int array_size = count * sizeof(struct page *);
> > - int i = 0;
> > + unsigned int count = size >> PAGE_SHIFT;
> > + unsigned int array_size = count * sizeof(struct page *);
> > + unsigned int i = 0;
>
> C programmers expect a variable called `i' to have type `int'. It
> would be clearer to find a new name for this. `idx', perhaps.
>
I didn't ack this because there's no bounds checking on
dma_alloc_from_contiguous() and bitmap_set() has a dangerous side-effect
when called with an overflowed nr since it takes a signed argument.
Marek, is there some sane upper bound we can put on count?
Additionally, I think at least this is needed for callers of bitmap_set()
for some sanity (unless someone wants to audit the almost 100 callers and
change it to unsigned as well). There's probably additional nastiness in
this library as well, I didn't check.
---
diff --git a/lib/bitmap.c b/lib/bitmap.c
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -287,7 +287,7 @@ void bitmap_set(unsigned long *map, int start, int nr)
mask_to_set = ~0UL;
p++;
}
- if (nr) {
+ if (nr > 0) {
mask_to_set &= BITMAP_LAST_WORD_MASK(size);
*p |= mask_to_set;
}
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>