Commit bcb615a8 authored by Zhang Yanfei's avatar Zhang Yanfei Committed by Linus Torvalds

mm/vmalloc.c: fix an overflow bug in alloc_vmap_area()

When searching a vmap area in the vmalloc space, we use (addr + size -
1) to check if the value is less than addr, which is an overflow.  But
we assign (addr + size) to vmap_area->va_end.

So if we come across the below case:

  (addr + size - 1) : not overflow
  (addr + size)     : overflow

we will assign an overflow value (e.g 0) to vmap_area->va_end, And this
will trigger BUG in __insert_vmap_area, causing system panic.

So using (addr + size) to check the overflow should be the correct
behaviour, not (addr + size - 1).
Signed-off-by: default avatarZhang Yanfei <zhangyanfei@cn.fujitsu.com>
Reported-by: default avatarGhennadi Procopciuc <unix140@gmail.com>
Tested-by: default avatarDaniel Baluta <dbaluta@ixiacom.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 64363aad
......@@ -388,12 +388,12 @@ static struct vmap_area *alloc_vmap_area(unsigned long size,
addr = ALIGN(first->va_end, align);
if (addr < vstart)
goto nocache;
if (addr + size - 1 < addr)
if (addr + size < addr)
goto overflow;
} else {
addr = ALIGN(vstart, align);
if (addr + size - 1 < addr)
if (addr + size < addr)
goto overflow;
n = vmap_area_root.rb_node;
......@@ -420,7 +420,7 @@ static struct vmap_area *alloc_vmap_area(unsigned long size,
if (addr + cached_hole_size < first->va_start)
cached_hole_size = first->va_start - addr;
addr = ALIGN(first->va_end, align);
if (addr + size - 1 < addr)
if (addr + size < addr)
goto overflow;
if (list_is_last(&first->list, &vmap_area_list))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment