On Tue, 2019-06-18 at 22:33 +0300, Gal Pressman wrote:
> On 18/06/2019 21:48, Jason Gunthorpe wrote:
> > On Tue, Jun 18, 2019 at 04:07:32PM +0300, Gal Pressman wrote:
> > > When inserting a new mmap entry to the xarray we should check for
> > > 'mmap_page' overflow as it is limited to 32 bits.
> > >
> > > Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
> > > Signed-off-by: Gal Pressman <galpress@xxxxxxxxxx>
> > > Changelog:
> > > v1->v2
> > > * Bring back the ucontext->mmap_xa_page assignment before
> > > __xa_insert
> > > drivers/infiniband/hw/efa/efa_verbs.c | 21 ++++++++++++++++-----
> > > 1 file changed, 16 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/drivers/infiniband/hw/efa/efa_verbs.c
> > > b/drivers/infiniband/hw/efa/efa_verbs.c
> > > index 0fea5d63fdbe..fb6115244d4c 100644
> > > +++ b/drivers/infiniband/hw/efa/efa_verbs.c
> > > @@ -204,6 +204,7 @@ static u64 mmap_entry_insert(struct efa_dev
> > > *dev, struct efa_ucontext *ucontext,
> > > void *obj, u64 address, u64 length, u8
> > > mmap_flag)
> > > {
> > > struct efa_mmap_entry *entry;
> > > + u32 next_mmap_page;
> > > int err;
> > >
> > > entry = kmalloc(sizeof(*entry), GFP_KERNEL);
> > > @@ -216,15 +217,19 @@ static u64 mmap_entry_insert(struct efa_dev
> > > *dev, struct efa_ucontext *ucontext,
> > > entry->mmap_flag = mmap_flag;
> > >
> > > xa_lock(&ucontext->mmap_xa);
> > > + if (check_add_overflow(ucontext->mmap_xa_page,
> > > + (u32)(length >> PAGE_SHIFT),
> > > + &next_mmap_page))
> > > + goto err_unlock;
> > > +
> > > entry->mmap_page = ucontext->mmap_xa_page;
> > > - ucontext->mmap_xa_page += DIV_ROUND_UP(length, PAGE_SIZE);
> >
> > Why did DIV_ROUND_UP become >> ?
>
> Since length is guaranteed to be a multiple of PAGE_SIZE.
Thanks, applied to for-rc.
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: B826A3330E572FDD
Fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD
Attachment:
signature.asc
Description: This is a digitally signed message part
