Re: [PATCH] dma: fix up broken comparison indma_alloc_from_coherent
From: Andrew Morton
Date: Tue Jan 27 2009 - 16:49:22 EST
On Wed, 21 Jan 2009 17:11:19 +0900
Paul Mundt <lethal@xxxxxxxxxxxx> wrote:
> @@ -118,31 +118,32 @@ int dma_alloc_from_coherent(struct device *dev, ssize_t size,
> mem = dev->dma_mem;
> if (!mem)
> return 0;
> - if (unlikely(size > mem->size))
> - return 0;
> +
> + *ret = NULL;
> +
> + if (unlikely(size > (mem->size << PAGE_SHIFT)))
> + goto err;
Looks a bit broken on 64-bit.
`size' is ssize_t (long).
`mem->size' is `int'.
The left shift can overflow and cause badnesses.
> + *dma_handle = mem->device_base + (pageno << PAGE_SHIFT);
> + *ret = mem->virt_base + (pageno << PAGE_SHIFT);
Ditto.
Maybe it's a can't-happen (why?), but...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/