diff options
| author | Vitaly Kuznetsov <vkuznets@redhat.com> | 2015-03-31 14:16:41 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-04-03 10:20:12 -0400 |
| commit | 797f88c987b02a8de8d4fac94ec2877b92ec35a2 (patch) | |
| tree | a4bb69aa6bab4b4af5778bb59e94bfcd68aa138f /drivers | |
| parent | ba0c444153889a9b672974d85a4a57a8eeb49fe3 (diff) | |
Drivers: hv: hv_balloon: correctly handle num_pages>INT_MAX case
balloon_wrk.num_pages is __u32 and it comes from host in struct dm_balloon
where it is also __u32. We, however, use 'int' in balloon_up() and in case
we happen to receive num_pages>INT_MAX request we'll end up allocating zero
pages as 'num_pages < alloc_unit' check in alloc_balloon_pages() will pass.
Change num_pages type to unsigned int.
In real life ballooning request come with num_pages in [512, 32768] range so
this is more a future-proof/cleanup.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/hv/hv_balloon.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c index 4052ad8255fa..cb5b7dc9797f 100644 --- a/drivers/hv/hv_balloon.c +++ b/drivers/hv/hv_balloon.c | |||
| @@ -1081,11 +1081,12 @@ static void free_balloon_pages(struct hv_dynmem_device *dm, | |||
| 1081 | 1081 | ||
| 1082 | 1082 | ||
| 1083 | 1083 | ||
| 1084 | static int alloc_balloon_pages(struct hv_dynmem_device *dm, int num_pages, | 1084 | static unsigned int alloc_balloon_pages(struct hv_dynmem_device *dm, |
| 1085 | struct dm_balloon_response *bl_resp, | 1085 | unsigned int num_pages, |
| 1086 | int alloc_unit) | 1086 | struct dm_balloon_response *bl_resp, |
| 1087 | int alloc_unit) | ||
| 1087 | { | 1088 | { |
| 1088 | int i = 0; | 1089 | unsigned int i = 0; |
| 1089 | struct page *pg; | 1090 | struct page *pg; |
| 1090 | 1091 | ||
| 1091 | if (num_pages < alloc_unit) | 1092 | if (num_pages < alloc_unit) |
| @@ -1132,8 +1133,8 @@ static int alloc_balloon_pages(struct hv_dynmem_device *dm, int num_pages, | |||
| 1132 | 1133 | ||
| 1133 | static void balloon_up(struct work_struct *dummy) | 1134 | static void balloon_up(struct work_struct *dummy) |
| 1134 | { | 1135 | { |
| 1135 | int num_pages = dm_device.balloon_wrk.num_pages; | 1136 | unsigned int num_pages = dm_device.balloon_wrk.num_pages; |
| 1136 | int num_ballooned = 0; | 1137 | unsigned int num_ballooned = 0; |
| 1137 | struct dm_balloon_response *bl_resp; | 1138 | struct dm_balloon_response *bl_resp; |
| 1138 | int alloc_unit; | 1139 | int alloc_unit; |
| 1139 | int ret; | 1140 | int ret; |