diff for duplicates of <51C334FA.6080604@gmail.com> diff --git a/a/1.txt b/N1/1.txt index 09579ad..f85b3e9 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -86,3 +86,60 @@ Could you please try the below patch to see if it is ok? The patch is based on today's linus' tree. ------------------------------------------------------ +>From d513596c298cb90b6d4defa7a6e839ca2f9467c8 Mon Sep 17 00:00:00 2001 +From: Zhang Yanfei <zhangyanfei@cn.fujitsu.com> +Date: Fri, 21 Jun 2013 00:37:56 +0800 +Subject: [PATCH] mm, vmalloc: Fix a potential overflow bug in alloc_vmap_area + +When searching a vmap area in the vmalloc space, we use +(addr + size - 1) to check if the value is less than addr, which +is an overflow. But we assign (addr + size) to vmap_area->va_end. + +So if we come across the below case: + +(addr + size - 1) : not overflow +(addr + size) : overflow + +we will assign an overflow value (e.g 0) to vmap_area->va_end, +And this will trigger BUG in __insert_vmap_area, causing system +panic. + +So using (addr + size) to check the overflow should be the correct +behaviour, not (addr + size - 1). + +Reported-by: Ghennadi Procopciuc <unix140@gmail.com> +Signed-off-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com> +--- + mm/vmalloc.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index d365724..d456560 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -388,12 +388,12 @@ nocache: + addr = ALIGN(first->va_end, align); + if (addr < vstart) + goto nocache; +- if (addr + size - 1 < addr) ++ if (addr + size < addr) + goto overflow; + + } else { + addr = ALIGN(vstart, align); +- if (addr + size - 1 < addr) ++ if (addr + size < addr) + goto overflow; + + n = vmap_area_root.rb_node; +@@ -420,7 +420,7 @@ nocache: + if (addr + cached_hole_size < first->va_start) + cached_hole_size = first->va_start - addr; + addr = ALIGN(first->va_end, align); +- if (addr + size - 1 < addr) ++ if (addr + size < addr) + goto overflow; + + if (list_is_last(&first->list, &vmap_area_list)) +-- +1.7.1 diff --git a/a/content_digest b/N1/content_digest index 33e6813..00bb4a1 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -100,6 +100,63 @@ "Could you please try the below patch to see if it is ok? The patch is based\n" "on today's linus' tree.\n" "\n" - ------------------------------------------------------ + "------------------------------------------------------\n" + ">From d513596c298cb90b6d4defa7a6e839ca2f9467c8 Mon Sep 17 00:00:00 2001\n" + "From: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>\n" + "Date: Fri, 21 Jun 2013 00:37:56 +0800\n" + "Subject: [PATCH] mm, vmalloc: Fix a potential overflow bug in alloc_vmap_area\n" + "\n" + "When searching a vmap area in the vmalloc space, we use\n" + "(addr + size - 1) to check if the value is less than addr, which\n" + "is an overflow. But we assign (addr + size) to vmap_area->va_end.\n" + "\n" + "So if we come across the below case:\n" + "\n" + "(addr + size - 1) : not overflow\n" + "(addr + size) : overflow\n" + "\n" + "we will assign an overflow value (e.g 0) to vmap_area->va_end,\n" + "And this will trigger BUG in __insert_vmap_area, causing system\n" + "panic.\n" + "\n" + "So using (addr + size) to check the overflow should be the correct\n" + "behaviour, not (addr + size - 1).\n" + "\n" + "Reported-by: Ghennadi Procopciuc <unix140@gmail.com>\n" + "Signed-off-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>\n" + "---\n" + " mm/vmalloc.c | 6 +++---\n" + " 1 files changed, 3 insertions(+), 3 deletions(-)\n" + "\n" + "diff --git a/mm/vmalloc.c b/mm/vmalloc.c\n" + "index d365724..d456560 100644\n" + "--- a/mm/vmalloc.c\n" + "+++ b/mm/vmalloc.c\n" + "@@ -388,12 +388,12 @@ nocache:\n" + " \t\taddr = ALIGN(first->va_end, align);\n" + " \t\tif (addr < vstart)\n" + " \t\t\tgoto nocache;\n" + "-\t\tif (addr + size - 1 < addr)\n" + "+\t\tif (addr + size < addr)\n" + " \t\t\tgoto overflow;\n" + " \n" + " \t} else {\n" + " \t\taddr = ALIGN(vstart, align);\n" + "-\t\tif (addr + size - 1 < addr)\n" + "+\t\tif (addr + size < addr)\n" + " \t\t\tgoto overflow;\n" + " \n" + " \t\tn = vmap_area_root.rb_node;\n" + "@@ -420,7 +420,7 @@ nocache:\n" + " \t\tif (addr + cached_hole_size < first->va_start)\n" + " \t\t\tcached_hole_size = first->va_start - addr;\n" + " \t\taddr = ALIGN(first->va_end, align);\n" + "-\t\tif (addr + size - 1 < addr)\n" + "+\t\tif (addr + size < addr)\n" + " \t\t\tgoto overflow;\n" + " \n" + " \t\tif (list_is_last(&first->list, &vmap_area_list))\n" + "-- \n" + 1.7.1 -9fe45f053f12d76b8aac4b96eee5ca9da6f845f7db586386786b055ece670931 +dad37455846690822515fb9196b33e1a5f4aa313aa57bbc9136befae7002824f
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.