This is a note to let you know that I've just added the patch titled
mm/vmalloc.c: fix an overflow bug in alloc_vmap_area()
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mm-vmalloc.c-fix-an-overflow-bug-in-alloc_vmap_area.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From bcb615a81b1765864c71c50afb56631e7a1e5283 Mon Sep 17 00:00:00 2001
From: Zhang Yanfei <[email protected]>
Date: Mon, 8 Jul 2013 16:00:19 -0700
Subject: mm/vmalloc.c: fix an overflow bug in alloc_vmap_area()
From: Zhang Yanfei <[email protected]>
commit bcb615a81b1765864c71c50afb56631e7a1e5283 upstream.
When searching a vmap area in the vmalloc space, we use (addr + size -
1) to check if the value is less than addr, which is an overflow. But
we assign (addr + size) to vmap_area->va_end.
So if we come across the below case:
(addr + size - 1) : not overflow
(addr + size) : overflow
we will assign an overflow value (e.g 0) to vmap_area->va_end, And this
will trigger BUG in __insert_vmap_area, causing system panic.
So using (addr + size) to check the overflow should be the correct
behaviour, not (addr + size - 1).
Signed-off-by: Zhang Yanfei <[email protected]>
Reported-by: Ghennadi Procopciuc <[email protected]>
Tested-by: Daniel Baluta <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Minchan Kim <[email protected]>
Cc: KOSAKI Motohiro <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Cc: Anatoly Muliarski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
mm/vmalloc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -388,12 +388,12 @@ nocache:
addr = ALIGN(first->va_end, align);
if (addr < vstart)
goto nocache;
- if (addr + size - 1 < addr)
+ if (addr + size < addr)
goto overflow;
} else {
addr = ALIGN(vstart, align);
- if (addr + size - 1 < addr)
+ if (addr + size < addr)
goto overflow;
n = vmap_area_root.rb_node;
@@ -420,7 +420,7 @@ nocache:
if (addr + cached_hole_size < first->va_start)
cached_hole_size = first->va_start - addr;
addr = ALIGN(first->va_end, align);
- if (addr + size - 1 < addr)
+ if (addr + size < addr)
goto overflow;
if (list_is_last(&first->list, &vmap_area_list))
Patches currently in stable-queue which might be from [email protected]
are
queue-3.10/mm-vmalloc.c-fix-an-overflow-bug-in-alloc_vmap_area.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
