All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/1] mm: cma: check the max limit for cma allocation
@ 2016-11-03 16:06 Shiraz Hashim
  0 siblings, 0 replies; 2+ messages in thread
From: Shiraz Hashim @ 2016-11-03 16:06 UTC (permalink / raw)
  To: catalin.marinas, sfr, akpm; +Cc: linux-mm, linux-kernel, Shiraz Hashim

CMA allocation request size is represented by size_t that
gets truncated when same is passed as int to
bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation
request is too high, bitmap_find_next_zero_area_off still
returns success due to the truncation. This leads to
kernel crash, as subsequent code assumes that requested
memory is available.

Fail cma allocation in case the request breaches the
corresponding cma region size.

Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
---
 mm/cma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/cma.c b/mm/cma.c
index 384c2cb..c960459 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -385,6 +385,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
 	bitmap_maxno = cma_bitmap_maxno(cma);
 	bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+	if (bitmap_count > bitmap_maxno)
+		return NULL;
+
 	for (;;) {
 		mutex_lock(&cma->lock);
 		bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,
-- 
Shiraz Hashim

QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 1/1] mm: cma: check the max limit for cma allocation
@ 2016-11-03 16:06 Shiraz Hashim
  0 siblings, 0 replies; 2+ messages in thread
From: Shiraz Hashim @ 2016-11-03 16:06 UTC (permalink / raw)
  To: catalin.marinas, sfr, akpm; +Cc: linux-mm, linux-kernel, Shiraz Hashim

CMA allocation request size is represented by size_t that
gets truncated when same is passed as int to
bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation
request is too high, bitmap_find_next_zero_area_off still
returns success due to the truncation. This leads to
kernel crash, as subsequent code assumes that requested
memory is available.

Fail cma allocation in case the request breaches the
corresponding cma region size.

Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
---
 mm/cma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/cma.c b/mm/cma.c
index 384c2cb..c960459 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -385,6 +385,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
 	bitmap_maxno = cma_bitmap_maxno(cma);
 	bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+	if (bitmap_count > bitmap_maxno)
+		return NULL;
+
 	for (;;) {
 		mutex_lock(&cma->lock);
 		bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,
-- 
Shiraz Hashim

QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-11-03 16:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-03 16:06 [PATCH 1/1] mm: cma: check the max limit for cma allocation Shiraz Hashim

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.