When running with a 16M IOREMAP_MAX_ORDER (on armv7) we found that the vmlist
search routine in __get_vm_area_node can mistakenly allow a driver to ioremap
a range larger than vmalloc space.
If at the time of the ioremap all existing vmlist areas sit below the determined
alignment then the search routine continues past all entries and exits the for
loop - straight into the found: label - without ever testing for integer
wrapping or that the requested size fits.
We were seeing a driver successfully ioremap 128M of flash even though there was
only 120M of vmalloc space. From that point the system was left with
the remainder
of the first 16M of space to vmalloc/ioremap within.
Signed-off-by: Robert Bragg <[email protected]>
---
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index af77e17..06a7f3a 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -216,6 +216,10 @@ static struct vm_struct *__get_vm_area_node
if (addr > end - size)
goto out;
}
+ if ((size + addr) < addr)
+ goto out;
+ if (addr > end - size)
+ goto out;
found:
area->next = *p;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
