From 028fcce39e5e63b037537d8b2990fb52b000b048 Mon Sep 17 00:00:00 2001 From: Doug Ledford Date: Tue, 19 Feb 2019 09:07:53 +0800 Subject: [PATCH] RDMA/umem: Fix potential addition overflow mainline inclusion from mainline-4.20-rc1 commit c6ce580716372d71cd119bacf73f14a62e9af2ea category: bugfix bugzilla: 6452 CVE: NA -------------------------- Since Virtual Lanes BCT credits and MTU are set through separate MADs, we Given a large enough memory allocation, it is possible to wrap the pinned_vm counter. Check for addition overflow to prevent such eventualities. Fixes: 40ddacf2dda9 ("RDMA/umem: Don't hold mmap_sem for too long") Reported-by: Jason Gunthorpe Signed-off-by: Doug Ledford Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Jing Xiangfeng Reviewed-by: Hanjun Guo Signed-off-by: Yang Yingliang --- drivers/infiniband/core/umem.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c index a41792dbae1f..5053a5ce5c07 100644 --- a/drivers/infiniband/core/umem.c +++ b/drivers/infiniband/core/umem.c @@ -85,6 +85,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, struct page **page_list; struct vm_area_struct **vma_list; unsigned long lock_limit; + unsigned long new_pinned; unsigned long cur_base; unsigned long npages; int ret; @@ -148,12 +149,13 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; down_write(¤t->mm->mmap_sem); - current->mm->pinned_vm += npages; - if ((current->mm->pinned_vm > lock_limit) && !capable(CAP_IPC_LOCK)) { + if (check_add_overflow(current->mm->pinned_vm, npages, &new_pinned) || + (new_pinned > lock_limit && !capable(CAP_IPC_LOCK))) { up_write(¤t->mm->mmap_sem); ret = -ENOMEM; - goto vma; + goto out; } + current->mm->pinned_vm = new_pinned; up_write(¤t->mm->mmap_sem); cur_base = addr & PAGE_MASK; -- GitLab