From owner-svn-src-all@FreeBSD.ORG Mon May 5 15:59:31 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECDAEAAA; Mon, 5 May 2014 15:59:31 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA5141CB7; Mon, 5 May 2014 15:59:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s45FxV60065506; Mon, 5 May 2014 15:59:31 GMT (envelope-from truckman@svn.freebsd.org) Received: (from truckman@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s45FxViA065500; Mon, 5 May 2014 15:59:31 GMT (envelope-from truckman@svn.freebsd.org) Message-Id: <201405051559.s45FxViA065500@svn.freebsd.org> From: Don Lewis Date: Mon, 5 May 2014 15:59:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r265363 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 15:59:32 -0000 Author: truckman Date: Mon May 5 15:59:31 2014 New Revision: 265363 URL: http://svnweb.freebsd.org/changeset/base/265363 Log: Avoid unsigned integer overflow which can cause rman_reserve_resource_bound() to return incorrect results. Continue the initial search until the first viable region is found. Add a comment to explain the search termination test. PR: kern/188534 Reviewed by: jhb (previous version) MFC after: 1 week Modified: head/sys/kern/subr_rman.c Modified: head/sys/kern/subr_rman.c ============================================================================== --- head/sys/kern/subr_rman.c Mon May 5 14:57:38 2014 (r265362) +++ head/sys/kern/subr_rman.c Mon May 5 15:59:31 2014 (r265363) @@ -456,7 +456,7 @@ rman_reserve_resource_bound(struct rman mtx_lock(rm->rm_mtx); for (r = TAILQ_FIRST(&rm->rm_list); - r && r->r_end < start; + r && r->r_end < start + count - 1; r = TAILQ_NEXT(r, r_link)) ; @@ -466,6 +466,11 @@ rman_reserve_resource_bound(struct rman } amask = (1ul << RF_ALIGNMENT(flags)) - 1; + if (start + amask < start) { + DPRINTF(("start+amask wrapped around\n")); + goto out; + } + /* If bound is 0, bmask will also be 0 */ bmask = ~(bound - 1); /* @@ -473,11 +478,20 @@ rman_reserve_resource_bound(struct rman */ for (s = r; s; s = TAILQ_NEXT(s, r_link)) { DPRINTF(("considering [%#lx, %#lx]\n", s->r_start, s->r_end)); - if (s->r_start + count - 1 > end) { + /* + * The resource list is sorted, so there is no point in + * searching further once r_start is too large. + */ + if (s->r_start > end - (count - 1)) { DPRINTF(("s->r_start (%#lx) + count - 1> end (%#lx)\n", s->r_start, end)); break; } + if (s->r_start + amask < s->r_start) { + DPRINTF(("s->r_start (%#lx) + amask (%#lx) wrapped\n", + s->r_start, amask)); + break; + } if (s->r_flags & RF_ALLOCATED) { DPRINTF(("region is allocated\n")); continue;