mm/cma.c: check the max limit for cma allocation
authorShiraz Hashim <shashim@codeaurora.org>
Thu, 10 Nov 2016 18:46:16 +0000 (10:46 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 11 Nov 2016 16:12:37 +0000 (08:12 -0800)
CMA allocation request size is represented by size_t that gets truncated
when same is passed as int to bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation request is too
high, bitmap_find_next_zero_area_off still returns success due to the
truncation.  This leads to kernel crash, as subsequent code assumes that
requested memory is available.

Fail cma allocation in case the request breaches the corresponding cma
region size.

Link: http://lkml.kernel.org/r/1478189211-3467-1-git-send-email-shashim@codeaurora.org
Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/cma.c

index 384c2cb51b56bf75ab2c132d0087e3757a71c276..c960459eda7e640ea55be1d4ed80c6a9125a8877 100644 (file)
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -385,6 +385,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
        bitmap_maxno = cma_bitmap_maxno(cma);
        bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+       if (bitmap_count > bitmap_maxno)
+               return NULL;
+
        for (;;) {
                mutex_lock(&cma->lock);
                bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,