The patch titled Subject: resource: fix integer overflow at reallocation has been added to the -mm tree. Its filename is resource-fix-integer-overflow-at-reallocation.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/resource-fix-integer-overflow-at-reallocation.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/resource-fix-integer-overflow-at-reallocation.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Takashi Iwai <tiwai@xxxxxxx> Subject: resource: fix integer overflow at reallocation We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid resource assigned after PCI resource reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check in resource_contains() to see whether the given resource has a valid range for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/20180408072026.27365-1-tiwai@xxxxxxx Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Reported-by: Michael Henders <hendersm@xxxxxxx> Tested-by: Michael Henders <hendersm@xxxxxxx> Reviewed-by: Ram Pai <linuxram@xxxxxxxxxx> Cc: Bjorn Helgaas <bhelgaas@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- diff -puN include/linux/ioport.h~resource-fix-integer-overflow-at-reallocation include/linux/ioport.h --- a/include/linux/ioport.h~resource-fix-integer-overflow-at-reallocation +++ a/include/linux/ioport.h @@ -212,6 +212,9 @@ static inline bool resource_contains(str return false; if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) return false; + /* sanity check whether it's a valid resource range */ + if (r2->end < r2->start) + return false; return r1->start <= r2->start && r1->end >= r2->end; } _ Patches currently in -mm which might be from tiwai@xxxxxxx are resource-fix-integer-overflow-at-reallocation.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html