diff options
| author | David S. Miller <[email protected]> | 2019-07-01 19:15:46 -0700 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2019-07-01 19:15:46 -0700 |
| commit | 8a534f8fb0dc44694a437b575060499efd1c91de (patch) | |
| tree | 88f7b417e9a8c7061b04e7ba0a77c3884b4f018b /include/linux | |
| parent | eb1f5c02ddf5ef51fcd746f6ff55b93935fc981c (diff) | |
| parent | 95b9395ba103ec0cc40bebb71a08231b5e226a76 (diff) | |
Merge branch 'idr-fix-overflow-cases-on-32-bit-CPU'
Cong Wang says:
====================
idr: fix overflow cases on 32-bit CPU
idr_get_next_ul() is problematic by design, it can't handle
the following overflow case well on 32-bit CPU:
u32 id = UINT_MAX;
idr_alloc_u32(&id);
while (idr_get_next_ul(&id) != NULL)
id++;
when 'id' overflows and becomes 0 after UINT_MAX, the loop
goes infinite.
Fix this by eliminating external users of idr_get_next_ul()
and migrating them to idr_for_each_entry_continue_ul(). And
add an additional parameter for these iteration macros to detect
overflow properly.
Please merge this through networking tree, as all the users
are in networking subsystem.
====================
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/idr.h | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/include/linux/idr.h b/include/linux/idr.h index ee7abae143d3..4ec8986e5dfb 100644 --- a/include/linux/idr.h +++ b/include/linux/idr.h @@ -191,14 +191,17 @@ static inline void idr_preload_end(void) * idr_for_each_entry_ul() - Iterate over an IDR's elements of a given type. * @idr: IDR handle. * @entry: The type * to use as cursor. + * @tmp: A temporary placeholder for ID. * @id: Entry ID. * * @entry and @id do not need to be initialized before the loop, and * after normal termination @entry is left with the value NULL. This * is convenient for a "not found" value. */ -#define idr_for_each_entry_ul(idr, entry, id) \ - for (id = 0; ((entry) = idr_get_next_ul(idr, &(id))) != NULL; ++id) +#define idr_for_each_entry_ul(idr, entry, tmp, id) \ + for (tmp = 0, id = 0; \ + tmp <= id && ((entry) = idr_get_next_ul(idr, &(id))) != NULL; \ + tmp = id, ++id) /** * idr_for_each_entry_continue() - Continue iteration over an IDR's elements of a given type @@ -213,6 +216,20 @@ static inline void idr_preload_end(void) entry; \ ++id, (entry) = idr_get_next((idr), &(id))) +/** + * idr_for_each_entry_continue_ul() - Continue iteration over an IDR's elements of a given type + * @idr: IDR handle. + * @entry: The type * to use as a cursor. + * @tmp: A temporary placeholder for ID. + * @id: Entry ID. + * + * Continue to iterate over entries, continuing after the current position. + */ +#define idr_for_each_entry_continue_ul(idr, entry, tmp, id) \ + for (tmp = id; \ + tmp <= id && ((entry) = idr_get_next_ul(idr, &(id))) != NULL; \ + tmp = id, ++id) + /* * IDA - ID Allocator, use when translation from id to pointer isn't necessary. */ |