• Roman Gushchin's avatar
    mm/nommu.c: fix arithmetic overflow in __vm_enough_memory() · 56ade695
    Roman Gushchin authored
    commit 8138a67a upstream.
    
    I noticed that "allowed" can easily overflow by falling below 0, because
    (total_vm / 32) can be larger than "allowed".  The problem occurs in
    OVERCOMMIT_NONE mode.
    
    In this case, a huge allocation can success and overcommit the system
    (despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
    (system-wide), so system become unusable.
    
    The problem was masked out by commit c9b1d098
    ("mm: limit growth of 3% hardcoded other user reserve"),
    but it's easy to reproduce it on older kernels:
    1) set overcommit_memory sysctl to 2
    2) mmap() large file multiple times (with VM_SHARED flag)
    3) try to malloc() large amount of memory
    
    It also can be reproduced on newer kernels, but miss-configured
    sysctl_user_reserve_kbytes is required.
    
    Fix this issue by switching to signed arithmetic here.
    Signed-off-by: default avatarRoman Gushchin <klamm@yandex-team.ru>
    Cc: Andrew Shewmaker <agshew@gmail.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    56ade695
nommu.c 53.3 KB