From: Paul Mackerras <[EMAIL PROTECTED]>
Date: Tue, 1 Apr 2008 15:15:46 +1100
> [EMAIL PROTECTED] writes:
>
> > From: David Miller <[EMAIL PROTECTED]>
> >
> > A variant of lmb_alloc() that tries to allocate memory on a specified NUMA
> > node 'nid' but falls back to normal lmb_alloc() if that fails.
>
> ...
>
> > +static u64 __init lmb_alloc_nid_unreserved(u64 start, u64 end,
> > + u64 size, u64 align)
> > +{
> > + u64 base;
> > + long j;
> > +
> > + base = lmb_align_down((end - size), align);
> > + while (start <= base &&
> > + ((j = lmb_overlaps_region(&lmb.reserved, base, size)) >= 0))
> > + base = lmb_align_down(lmb.reserved.region[j].base - size,
> > + align);
>
> How do we know that lmb.reserved.region[j].base is >= size at this
> point? If it isn't, then base could end up as some extremely large
> unsigned value, which would be a Bad Thing.
The same exact issue exists in the existing code, from which this is
derived, in __lmb_alloc_base().
This situation can occur any time a region is smaller than the 'size'
argument, in both functions.
_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@ozlabs.org
https://ozlabs.org/mailman/listinfo/linuxppc-dev
