linux/drivers/gpu/drm/drm_hashtab.c
Xie XiuQi ae0119f5f7 drm: fix signed integer overflow
Use 1UL for unsigned long, or we'll meet a overflow issue with UBSAN.

[   15.589489] UBSAN: Undefined behaviour in drivers/gpu/drm/drm_hashtab.c:145:35
[   15.589500] signed integer overflow:
[   15.589999] -2147483648 - 1 cannot be represented in type 'int'
[   15.590434] CPU: 2 PID: 294 Comm: plymouthd Not tainted 3.10.0-327.28.3.el7.x86_64 #1
[   15.590653] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[   15.591001]  1ffff1000670fe83 000000000d6b385e ffff88003387f3e0 ffffffff81ee3140
[   15.591028]  ffff88003387f3f8 ffffffff81ee31fd ffffffffa032f460 ffff88003387f560
[   15.591044]  ffffffff81ee46e2 0000002d00000009 0000000000000001 0000000041b58ab3
[   15.591059] Call Trace:
[   15.591078]  [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[   15.591093]  [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[   15.591109]  [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
[   15.591126]  [<ffffffff81ee4528>] ? __ubsan_handle_negate_overflow+0x162/0x162
[   15.591146]  [<ffffffff8103416c>] ? print_context_stack+0x9c/0x160
[   15.591163]  [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[   15.591181]  [<ffffffff81739023>] ? __list_add+0x93/0x160
[   15.591197]  [<ffffffff81ee4798>] __ubsan_handle_sub_overflow+0x2a/0x31
[   15.591261]  [<ffffffffa0282140>] drm_ht_just_insert_please+0x1e0/0x200 [drm]
[   15.591290]  [<ffffffffa0528c7a>] ttm_base_object_init+0x10a/0x270 [ttm]
[   15.591316]  [<ffffffffa052a34c>] ttm_vt_lock+0x28c/0x3a0 [ttm]
[   15.591343]  [<ffffffffa052a0c0>] ? ttm_write_lock+0x180/0x180 [ttm]
[   15.591362]  [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[   15.591379]  [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[   15.591396]  [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[   15.591413]  [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[   15.591442]  [<ffffffffa061cbe1>] vmw_master_set+0x121/0x470 [vmwgfx]
[   15.591459]  [<ffffffff811773a5>] ? __init_waitqueue_head+0x45/0x70
[   15.591487]  [<ffffffffa061cac0>] ? vmw_master_drop+0x310/0x310 [vmwgfx]
[   15.591535]  [<ffffffffa026946a>] drm_open+0x92a/0xc00 [drm]
[   15.591563]  [<ffffffffa0619ff0>] ? vmw_driver_open+0x170/0x170 [vmwgfx]
[   15.591610]  [<ffffffffa0268b40>] ? drm_poll+0xe0/0xe0 [drm]
[   15.591661]  [<ffffffffa02797b4>] drm_stub_open+0x224/0x330 [drm]
[   15.591711]  [<ffffffffa0279590>] ? drm_minor_acquire+0x240/0x240 [drm]
[   15.591727]  [<ffffffff8145fa8a>] chrdev_open+0x1fa/0x3f0
[   15.591742]  [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[   15.591761]  [<ffffffff814f6dc3>] ? __fsnotify_parent+0x53/0x210
[   15.591778]  [<ffffffff8144fde1>] do_dentry_open+0x351/0x670
[   15.591792]  [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[   15.591807]  [<ffffffff814503c2>] vfs_open+0xa2/0x170
[   15.591824]  [<ffffffff8147b5df>] do_last+0xccf/0x2c80
[   15.591842]  [<ffffffff8147a910>] ? filename_create+0x320/0x320
[   15.591858]  [<ffffffff81472549>] ? path_init+0x1b9/0xa90
[   15.591875]  [<ffffffff81472390>] ? mountpoint_last+0x9a0/0x9a0
[   15.591894]  [<ffffffff815f9ccf>] ? selinux_file_alloc_security+0xcf/0x130
[   15.591911]  [<ffffffff8147d777>] path_openat+0x1e7/0xcc0
[   15.591927]  [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[   15.591943]  [<ffffffff8147d590>] ? do_last+0x2c80/0x2c80
[   15.591959]  [<ffffffff81739023>] ? __list_add+0x93/0x160
[   15.591974]  [<ffffffff8104b48d>] ? save_stack_trace+0x7d/0xb0
[   15.591989]  [<ffffffff81480824>] do_filp_open+0xa4/0x160
[   15.592004]  [<ffffffff81480780>] ? user_path_mountpoint_at+0x50/0x50
[   15.592022]  [<ffffffff8149d755>] ? __alloc_fd+0x175/0x300
[   15.592039]  [<ffffffff81453127>] do_sys_open+0x1b7/0x3f0
[   15.592054]  [<ffffffff81452f70>] ? filp_open+0x80/0x80
[   15.592070]  [<ffffffff81453392>] SyS_open+0x32/0x40
[   15.592088]  [<ffffffff81f08989>] system_call_fastpath+0x16/0x1b

Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
[seanpaul tweaked subject to remove "gpu/"]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473152138-25335-1-git-send-email-xiexiuqi@huawei.com
2016-09-06 13:56:41 -04:00

206 lines
5.4 KiB
C

/**************************************************************************
*
* Copyright 2006 Tungsten Graphics, Inc., Bismarck, ND. USA.
* All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sub license, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice (including the
* next paragraph) shall be included in all copies or substantial portions
* of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
* THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
* USE OR OTHER DEALINGS IN THE SOFTWARE.
*
*
**************************************************************************/
/*
* Simple open hash tab implementation.
*
* Authors:
* Thomas Hellström <thomas-at-tungstengraphics-dot-com>
*/
#include <drm/drmP.h>
#include <drm/drm_hashtab.h>
#include <linux/hash.h>
#include <linux/slab.h>
#include <linux/export.h>
int drm_ht_create(struct drm_open_hash *ht, unsigned int order)
{
unsigned int size = 1 << order;
ht->order = order;
ht->table = NULL;
if (size <= PAGE_SIZE / sizeof(*ht->table))
ht->table = kcalloc(size, sizeof(*ht->table), GFP_KERNEL);
else
ht->table = vzalloc(size*sizeof(*ht->table));
if (!ht->table) {
DRM_ERROR("Out of memory for hash table\n");
return -ENOMEM;
}
return 0;
}
EXPORT_SYMBOL(drm_ht_create);
void drm_ht_verbose_list(struct drm_open_hash *ht, unsigned long key)
{
struct drm_hash_item *entry;
struct hlist_head *h_list;
unsigned int hashed_key;
int count = 0;
hashed_key = hash_long(key, ht->order);
DRM_DEBUG("Key is 0x%08lx, Hashed key is 0x%08x\n", key, hashed_key);
h_list = &ht->table[hashed_key];
hlist_for_each_entry(entry, h_list, head)
DRM_DEBUG("count %d, key: 0x%08lx\n", count++, entry->key);
}
static struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht,
unsigned long key)
{
struct drm_hash_item *entry;
struct hlist_head *h_list;
unsigned int hashed_key;
hashed_key = hash_long(key, ht->order);
h_list = &ht->table[hashed_key];
hlist_for_each_entry(entry, h_list, head) {
if (entry->key == key)
return &entry->head;
if (entry->key > key)
break;
}
return NULL;
}
static struct hlist_node *drm_ht_find_key_rcu(struct drm_open_hash *ht,
unsigned long key)
{
struct drm_hash_item *entry;
struct hlist_head *h_list;
unsigned int hashed_key;
hashed_key = hash_long(key, ht->order);
h_list = &ht->table[hashed_key];
hlist_for_each_entry_rcu(entry, h_list, head) {
if (entry->key == key)
return &entry->head;
if (entry->key > key)
break;
}
return NULL;
}
int drm_ht_insert_item(struct drm_open_hash *ht, struct drm_hash_item *item)
{
struct drm_hash_item *entry;
struct hlist_head *h_list;
struct hlist_node *parent;
unsigned int hashed_key;
unsigned long key = item->key;
hashed_key = hash_long(key, ht->order);
h_list = &ht->table[hashed_key];
parent = NULL;
hlist_for_each_entry(entry, h_list, head) {
if (entry->key == key)
return -EINVAL;
if (entry->key > key)
break;
parent = &entry->head;
}
if (parent) {
hlist_add_behind_rcu(&item->head, parent);
} else {
hlist_add_head_rcu(&item->head, h_list);
}
return 0;
}
EXPORT_SYMBOL(drm_ht_insert_item);
/*
* Just insert an item and return any "bits" bit key that hasn't been
* used before.
*/
int drm_ht_just_insert_please(struct drm_open_hash *ht, struct drm_hash_item *item,
unsigned long seed, int bits, int shift,
unsigned long add)
{
int ret;
unsigned long mask = (1UL << bits) - 1;
unsigned long first, unshifted_key;
unshifted_key = hash_long(seed, bits);
first = unshifted_key;
do {
item->key = (unshifted_key << shift) + add;
ret = drm_ht_insert_item(ht, item);
if (ret)
unshifted_key = (unshifted_key + 1) & mask;
} while(ret && (unshifted_key != first));
if (ret) {
DRM_ERROR("Available key bit space exhausted\n");
return -EINVAL;
}
return 0;
}
EXPORT_SYMBOL(drm_ht_just_insert_please);
int drm_ht_find_item(struct drm_open_hash *ht, unsigned long key,
struct drm_hash_item **item)
{
struct hlist_node *list;
list = drm_ht_find_key_rcu(ht, key);
if (!list)
return -EINVAL;
*item = hlist_entry(list, struct drm_hash_item, head);
return 0;
}
EXPORT_SYMBOL(drm_ht_find_item);
int drm_ht_remove_key(struct drm_open_hash *ht, unsigned long key)
{
struct hlist_node *list;
list = drm_ht_find_key(ht, key);
if (list) {
hlist_del_init_rcu(list);
return 0;
}
return -EINVAL;
}
int drm_ht_remove_item(struct drm_open_hash *ht, struct drm_hash_item *item)
{
hlist_del_init_rcu(&item->head);
return 0;
}
EXPORT_SYMBOL(drm_ht_remove_item);
void drm_ht_remove(struct drm_open_hash *ht)
{
if (ht->table) {
kvfree(ht->table);
ht->table = NULL;
}
}
EXPORT_SYMBOL(drm_ht_remove);