projects / firefly-linux-kernel-4.4.55.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 18b683a) | patch
mm/vmalloc.c: fix an overflow bug in alloc_vmap_area()
authorZhang Yanfei <zhangyanfei.yes@gmail.com>
Mon, 8 Jul 2013 23:00:19 +0000 (16:00 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 13 Nov 2013 03:05:34 +0000 (12:05 +0900)
commit7bff7accd427da171501b558457ef8fa81ee2767
tree958af0229e79d85eb7c30f79bc09c8b1dbc5f51ftree | snapshot
parent18b683a2334848c003fe89e3002244ca298544f4commit | diff
mm/vmalloc.c: fix an overflow bug in alloc_vmap_area()

commit bcb615a81b1765864c71c50afb56631e7a1e5283 upstream.

When searching a vmap area in the vmalloc space, we use (addr + size -
1) to check if the value is less than addr, which is an overflow.  But
we assign (addr + size) to vmap_area->va_end.

So if we come across the below case:

  (addr + size - 1) : not overflow
  (addr + size)     : overflow

we will assign an overflow value (e.g 0) to vmap_area->va_end, And this
will trigger BUG in __insert_vmap_area, causing system panic.

So using (addr + size) to check the overflow should be the correct
behaviour, not (addr + size - 1).

Signed-off-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Reported-by: Ghennadi Procopciuc <unix140@gmail.com>
Tested-by: Daniel Baluta <dbaluta@ixiacom.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Anatoly Muliarski <x86ever@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mm/vmalloc.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.