1. 09 Jun, 2008 1 commit
    • Roland Dreier's avatar
      IB/core: Remove IB_DEVICE_SEND_W_INV capability flag · 4c0283fc
      Roland Dreier authored
      In 2.6.26, we added some support for send with invalidate work
      requests, including a device capability flag to indicate whether a
      device supports such requests.  However, the support was incomplete:
      the completion structure was not extended with a field for the key
      contained in incoming send with invalidate requests.
      
      Full support for memory management extensions (send with invalidate,
      local invalidate, fast register through a send queue, etc) is planned
      for 2.6.27.  Since send with invalidate is not very useful by itself,
      just remove the IB_DEVICE_SEND_W_INV bit before the 2.6.26 final
      release; we will add an IB_DEVICE_MEM_MGT_EXTENSIONS bit in 2.6.27,
      which makes things simpler for applications, since they will not have
      quite as confusing an array of fine-grained bits to check.
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      4c0283fc
  2. 07 Jun, 2008 1 commit
    • Roland Dreier's avatar
      IB/umem: Avoid sign problems when demoting npages to integer · 8079ffa0
      Roland Dreier authored
      On a 64-bit architecture, if ib_umem_get() is called with a size value
      that is so big that npages is negative when cast to int, then the
      length of the page list passed to get_user_pages(), namely
      
      	min_t(int, npages, PAGE_SIZE / sizeof (struct page *))
      
      will be negative, and get_user_pages() will immediately return 0 (at
      least since 900cf086, "Be more robust about bad arguments in
      get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
      since the code boils down to:
      
      	while (npages) {
      		ret = get_user_pages(...);
      		npages -= ret;
      	}
      
      Fix this by taking the minimum as unsigned longs, so that the value of
      npages is never truncated.
      
      The impact of this bug isn't too severe, since the value of npages is
      checked against RLIMIT_MEMLOCK, so a process would need to have an
      astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
      and such a process could already cause lots of mischief.  But it does
      let buggy userspace code cause a kernel lock-up; for example I hit
      this with code that passes a negative value into a memory registartion
      function where it is promoted to a huge u64 value.
      
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      8079ffa0
  3. 06 Jun, 2008 38 commits