• Paul Mackerras's avatar
    [LMB] Restructure allocation loops to avoid unsigned underflow · d9024df0
    Paul Mackerras authored
    There is a potential bug in __lmb_alloc_base where we subtract `size'
    from the base address of a reserved region without checking whether
    the subtraction could wrap around and produce a very large unsigned
    value.  In fact it probably isn't possible to hit the bug in practice
    since it would only occur in the situation where we can't satisfy the
    allocation request and there is a reserved region starting at 0.
    
    This fixes the potential bug by breaking out of the loop when we get
    to the point where the base of the reserved region is less than the
    size requested.  This also restructures the loop to be a bit easier to
    follow.
    
    The same logic got copied into lmb_alloc_nid_unreserved, so this makes
    a similar change there.  Here the bug is more likely to be hit because
    the outer loop  (in lmb_alloc_nid) goes through the memory regions in
    increasing order rather than decreasing order as __lmb_alloc_base
    does, and we are therefore more likely to hit the case where we are
    testing against a reserved region with a base address of 0.
    Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
    d9024df0
lmb.c 9.68 KB