diff options
| author |   Christian Borntraeger <borntraeger@de.ibm.com> | 2016-09-09 16:28:43 +0200 |
|---|---|---|
| committer |   Martin Schwidefsky <schwidefsky@de.ibm.com> | 2016-10-17 11:25:25 +0200 |
| commit | 0f02c4e749bc79975dd23ddcc9bfe38bf76afb67 (patch) | |
| tree | 2926eb0d79669c1c7a01e21f5b9df332e152c61c /drivers/s390/block | |
| parent | Linux 4.9-rc1 (diff) | |
| download | linux-dev-0f02c4e749bc79975dd23ddcc9bfe38bf76afb67.tar.xz linux-dev-0f02c4e749bc79975dd23ddcc9bfe38bf76afb67.zip | |
s390/dasd: avoid undefined behaviour
the mdc value can be quite big (like 65535), so we are in undefined
territory when doing the multiplication with the (also signed)
FCX_MAX_DATA_FACTOR as outlined by UBSAN:
UBSAN: Undefined behaviour in drivers/s390/block/dasd_eckd.c:1678:14
signed integer overflow:
65535 * 65536 cannot be represented in type 'int'
CPU: 5 PID: 183 Comm: kworker/u512:1 Not tainted 4.7.0+ #150
Workqueue: events_unbound async_run_entry_fn
000000fb8b59f900 000000fb8b59f990 0000000000000002 0000000000000000
000000fb8b59fa30 000000fb8b59f9a8 000000fb8b59f9a8 000000000011732e
00000000000000a4 0000000000a309e2 0000000000a4c072 000000000000000b
000000fb8b59f9f0 000000fb8b59f990 0000000000000000 0000000000000000
0400000000d83238 000000000011732e 000000fb8b59f990 000000fb8b59f9f0
Call Trace:
([<0000000000117260>] show_trace+0x98/0xa8)
([<00000000001172e0>] show_stack+0x70/0xf0)
([<000000000053ac96>] dump_stack+0x86/0xb8)
([<000000000057f5f8>] ubsan_epilogue+0x28/0x70)
([<000000000057fe9e>] handle_overflow+0xde/0xf0)
([<00000000006c322a>] dasd_eckd_check_characteristics+0x50a/0x550)
([<00000000006b42ca>] dasd_generic_set_online+0xba/0x380)
([<0000000000693d82>] ccw_device_set_online+0x192/0x550)
([<00000000006ac1ae>] dasd_generic_auto_online+0x2e/0x70)
([<0000000000172130>] async_run_entry_fn+0x70/0x270)
([<0000000000165a72>] process_one_work+0x26a/0x638)
([<0000000000165e8a>] worker_thread+0x4a/0x658)
([<000000000016dd9c>] kthread+0x10c/0x110)
([<00000000008963ae>] kernel_thread_starter+0x6/0xc)
([<00000000008963a8>] kernel_thread_starter+0x0/0xc)
As this is a runtime value there is actually no risk of any sane
compiler to detect and (ab)use this undefinedness, but let's make
the multiplication defined by making mdc unsigned.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Acked-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/block')
| -rw-r--r-- | drivers/s390/block/dasd_eckd.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index 831935af7389..a7a88476e215 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -1205,7 +1205,7 @@ static int verify_fcx_max_data(struct dasd_device *device, __u8 lpm) mdc, lpm); return mdc; } - fcx_max_data = mdc * FCX_MAX_DATA_FACTOR; + fcx_max_data = (u32)mdc * FCX_MAX_DATA_FACTOR; if (fcx_max_data < private->fcx_max_data) { dev_warn(&device->cdev->dev, "The maximum data size for zHPF requests %u " @@ -1675,7 +1675,7 @@ static u32 get_fcx_max_data(struct dasd_device *device) " data size for zHPF requests failed\n"); return 0; } else - return mdc * FCX_MAX_DATA_FACTOR; + return (u32)mdc * FCX_MAX_DATA_FACTOR; } /* |