diff mbox series

[2/2] RDMA/umem: Fix potential addition overflow

Message ID de220bdd849ef3e954e465bf9f9ec1e6a07cfa98.1537543687.git.dledford@redhat.com (mailing list archive)
State Accepted
Delegated to: Jason Gunthorpe
Headers show
Series Minor umem cleanups | expand

Commit Message

Doug Ledford Sept. 21, 2018, 3:30 p.m. UTC
Given a large enough memory allocation, it is possible to wrap the
pinned_vm counter.  Check for addition overflow to prevent such
eventualities.

Fixes: 40ddacf2dda9 ("RDMA/umem: Don't hold mmap_sem for too long")
Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
 drivers/infiniband/core/umem.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Leon Romanovsky Sept. 25, 2018, 5:31 p.m. UTC | #1
On Fri, Sep 21, 2018 at 11:30:13AM -0400, Doug Ledford wrote:
> Given a large enough memory allocation, it is possible to wrap the
> pinned_vm counter.  Check for addition overflow to prevent such
> eventualities.
>
> Fixes: 40ddacf2dda9 ("RDMA/umem: Don't hold mmap_sem for too long")
> Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
> Signed-off-by: Doug Ledford <dledford@redhat.com>
> ---
>  drivers/infiniband/core/umem.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>

Thanks,
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
diff mbox series

Patch

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index e54e50dd854b..0b082807e695 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -85,6 +85,7 @@  struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	struct page **page_list;
 	struct vm_area_struct **vma_list;
 	unsigned long lock_limit;
+	unsigned long new_pinned;
 	unsigned long cur_base;
 	struct mm_struct *mm;
 	unsigned long npages;
@@ -155,12 +156,13 @@  struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
 
 	down_write(&mm->mmap_sem);
-	mm->pinned_vm += npages;
-	if ((mm->pinned_vm > lock_limit) && !capable(CAP_IPC_LOCK)) {
+	if (check_add_overflow(mm->pinned_vm, npages, &new_pinned) ||
+	    (new_pinned > lock_limit && !capable(CAP_IPC_LOCK))) {
 		up_write(&mm->mmap_sem);
 		ret = -ENOMEM;
-		goto vma;
+		goto out;
 	}
+	mm->pinned_vm = new_pinned;
 	up_write(&mm->mmap_sem);
 
 	cur_base = addr & PAGE_MASK;