[PATCH] fix broken lib/genalloc.c

genalloc improperly stores the sizes of freed chunks, allocates overlapping memory regions, and oopses after its in-band data is overwritten. Signed-off-by: Chris Humbert <mahadri-kernel@drigon.com> Cc: Jes Sorensen <jes@trained-monkey.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Chris Humbert <mahadri-kernel@drigon.com> 2005-11-28 16:43:54 -0500
committer: Linus Torvalds <torvalds@g5.osdl.org> 2005-11-28 17:42:23 -0500
commit: 46596338a10a54550ff03a6f60c28145a080296b (patch)
tree: 563a8e6589c449679ca5f8d35aac7189a600a603
parent: 7729ac5efe156129d172784fedeaddb2167a1914 (diff)
1 files changed, 6 insertions, 8 deletions
diff --git a/lib/genalloc.c b/lib/genalloc.c
index d6d30d2e7166..9ce0a6a3b85a 100644
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -95,12 +95,10 @@ unsigned long gen_pool_alloc(struct gen_pool *poolp, int size)
        if (size > max_chunk_size)
                return 0;
-        i = 0;
        size = max(size, 1 << ALLOC_MIN_SHIFT);
-        s = roundup_pow_of_two(size);
+        i = fls(size - 1);
+        s = 1 << i;
-        j = i;
+        j = i -= ALLOC_MIN_SHIFT;
        spin_lock_irqsave(&poolp->lock, flags);
        while (!h[j].next) {
@@ -153,10 +151,10 @@ void gen_pool_free(struct gen_pool *poolp, unsigned long ptr, int size)
        if (size > max_chunk_size)
                return;
-        i = 0;
        size = max(size, 1 << ALLOC_MIN_SHIFT);
-        s = roundup_pow_of_two(size);
+        i = fls(size - 1);
+        s = 1 << i;
+        i -= ALLOC_MIN_SHIFT;
        a = ptr;
author	Chris Humbert <mahadri-kernel@drigon.com>	2005-11-28 16:43:54 -0500
committer	Linus Torvalds <torvalds@g5.osdl.org>	2005-11-28 17:42:23 -0500
commit	46596338a10a54550ff03a6f60c28145a080296b (patch)
tree	563a8e6589c449679ca5f8d35aac7189a600a603
parent	7729ac5efe156129d172784fedeaddb2167a1914 (diff)

diff --git a/lib/genalloc.c b/lib/genalloc.c index d6d30d2e7166..9ce0a6a3b85a 100644 --- a/lib/genalloc.c +++ b/lib/genalloc.c
@@ -95,12 +95,10 @@ unsigned long gen_pool_alloc(struct gen_pool *poolp, int size)
95	if (size > max_chunk_size)	95	if (size > max_chunk_size)
96	return 0;	96	return 0;
97		97
98	i = 0;
99
100	size = max(size, 1 << ALLOC_MIN_SHIFT);	98	size = max(size, 1 << ALLOC_MIN_SHIFT);
101	s = roundup_pow_of_two(size);	99	i = fls(size - 1);
102		100	s = 1 << i;
103	j = i;	101	j = i -= ALLOC_MIN_SHIFT;
104		102
105	spin_lock_irqsave(&poolp->lock, flags);	103	spin_lock_irqsave(&poolp->lock, flags);
106	while (!h[j].next) {	104	while (!h[j].next) {
@@ -153,10 +151,10 @@ void gen_pool_free(struct gen_pool *poolp, unsigned long ptr, int size)
153	if (size > max_chunk_size)	151	if (size > max_chunk_size)
154	return;	152	return;
155		153
156	i = 0;
157
158	size = max(size, 1 << ALLOC_MIN_SHIFT);	154	size = max(size, 1 << ALLOC_MIN_SHIFT);
159	s = roundup_pow_of_two(size);	155	i = fls(size - 1);
		156	s = 1 << i;
		157	i -= ALLOC_MIN_SHIFT;
160		158
161	a = ptr;	159	a = ptr;
162		160