[bug report] habanalabs: add virtual memory and MMU modules

Mon, 04 Mar 2019 22:40:37 -0800 

Hello Omer Shpigelman,

The patch 0feaf86d4e69: "habanalabs: add virtual memory and MMU
modules" from Feb 16, 2019, leads to the following static checker
warning:

        drivers/misc/habanalabs/memory.c:96 alloc_device_memory()
        warn: integer overflows '(args->alloc.mem_size + (page_size - 1)) >> 
page_shift'

drivers/misc/habanalabs/memory.c
    53 static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in 
*args,
    54                          u32 *ret_handle)
    55 {
    56  struct hl_device *hdev = ctx->hdev;
    57  struct hl_vm *vm = &hdev->vm;
    58  struct hl_vm_phys_pg_pack *phys_pg_pack;
    59  u64 paddr = 0;
    60  u32 total_size, num_pgs, num_curr_pgs, page_size, page_shift;
    61  int handle, rc, i;
    62  bool contiguous;
    63 
    64  num_curr_pgs = 0;
    65  page_size = hdev->asic_prop.dram_page_size;
    66  page_shift = __ffs(page_size);
    67  num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This addition can have an integer overflow.  mem_size is a u64 that
comes from the user in the IOCTL.  Also num_pgs is a u32 so it can't
hold mem_size / 4096.

    68  total_size = num_pgs << page_shift;
                     ^^^^^^^^^^^^^^^^^^^^^
So can this shift.  total_size is u32.

    69 
    70  contiguous = args->flags & HL_MEM_CONTIGUOUS;
    71 
    72  if (contiguous) {
    73          paddr = (u64) gen_pool_alloc(vm->dram_pg_pool, total_size);
    74          if (!paddr) {
    75                  dev_err(hdev->dev,
    76                          "failed to allocate %u huge contiguous pages\n",
    77                          num_pgs);
    78                  return -ENOMEM;
    79          }
    80  }
    81 
    82  phys_pg_pack = kzalloc(sizeof(*phys_pg_pack), GFP_KERNEL);
    83  if (!phys_pg_pack) {
    84          rc = -ENOMEM;
    85          goto pages_pack_err;
    86  }
    87 
    88  phys_pg_pack->vm_type = VM_TYPE_PHYS_PACK;
    89  phys_pg_pack->asid = ctx->asid;
    90  phys_pg_pack->npages = num_pgs;
    91  phys_pg_pack->page_size = page_size;
    92  phys_pg_pack->total_size = total_size;
    93  phys_pg_pack->flags = args->flags;
    94  phys_pg_pack->contiguous = contiguous;
    95 
--> 96  phys_pg_pack->pages = kcalloc(num_pgs, sizeof(u64), GFP_KERNEL);
                                      ^^^^^^^
We allocate less memory than intended.

    97  if (!phys_pg_pack->pages) {
    98          rc = -ENOMEM;
    99          goto pages_arr_err;
    100         }
    101 
    102         if (phys_pg_pack->contiguous) {
    103                 for (i = 0 ; i < num_pgs ; i++)
    104                         phys_pg_pack->pages[i] = paddr + i * page_size;
    105         } else {


regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to