Commit bcddaadb authored by Elliott Mitchell's avatar Elliott Mitchell Committed by Mitchell Horne
Browse files

rman: fix overflow in rman_reserve_resource_bound()

If the default range of [0, ~0] is given, then (~0 - 0) + 1 == 0. This
in turn will cause any allocation of non-zero size to fail. Zero-sized
allocations are prohibited, so add a KASSERT to this effect.

History indicates it is part of the original rman code.  This bug may in
fact be older than some contributors.

Reviewed by:	mhorne
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D30280
parent 0eb901f7
......@@ -445,6 +445,8 @@ rman_reserve_resource_bound(struct rman *rm, rman_res_t start, rman_res_t end,
"length %#jx, flags %x, device %s\n", rm->rm_descr, start, end,
count, flags,
dev == NULL ? "<null>" : device_get_nameunit(dev)));
KASSERT(count != 0, ("%s: attempted to allocate an empty range",
__func__));
KASSERT((flags & RF_FIRSTSHARE) == 0,
("invalid flags %#x", flags));
new_rflags = (flags & ~RF_FIRSTSHARE) | RF_ALLOCATED;
......@@ -520,7 +522,7 @@ rman_reserve_resource_bound(struct rman *rm, rman_res_t start, rman_res_t end,
DPRINTF(("truncated region: [%#jx, %#jx]; size %#jx (requested %#jx)\n",
rstart, rend, (rend - rstart + 1), count));
if ((rend - rstart + 1) >= count) {
if ((rend - rstart) >= (count - 1)) {
DPRINTF(("candidate region: [%#jx, %#jx], size %#jx\n",
rstart, rend, (rend - rstart + 1)));
if ((s->r_end - s->r_start + 1) == count) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment