https://github.com/torvalds/linux
Revision 6b36ba599d602d8a73920fb5c470fe272fac49c1 authored by Shiraz Hashim on 10 November 2016, 18:46:16 UTC, committed by Linus Torvalds on 11 November 2016, 16:12:37 UTC
CMA allocation request size is represented by size_t that gets truncated when same is passed as int to bitmap_find_next_zero_area_off. We observe that during fuzz testing when cma allocation request is too high, bitmap_find_next_zero_area_off still returns success due to the truncation. This leads to kernel crash, as subsequent code assumes that requested memory is available. Fail cma allocation in case the request breaches the corresponding cma region size. Link: http://lkml.kernel.org/r/1478189211-3467-1-git-send-email-shashim@codeaurora.org Signed-off-by: Shiraz Hashim <shashim@codeaurora.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent eef06b8
Tip revision: 6b36ba599d602d8a73920fb5c470fe272fac49c1 authored by Shiraz Hashim on 10 November 2016, 18:46:16 UTC
mm/cma.c: check the max limit for cma allocation
mm/cma.c: check the max limit for cma allocation
Tip revision: 6b36ba5
| File | Mode | Size |
|---|---|---|
| 3com | ||
| acenic | ||
| adaptec | ||
| advansys | ||
| av7110 | ||
| bnx2 | ||
| bnx2x | ||
| cis | ||
| cpia2 | ||
| cxgb3 | ||
| dsp56k | ||
| e100 | ||
| edgeport | ||
| emi26 | ||
| emi62 | ||
| ess | ||
| kaweth | ||
| keyspan | ||
| keyspan_pda | ||
| korg | ||
| matrox | ||
| myricom | ||
| ositech | ||
| qlogic | ||
| r128 | ||
| radeon | ||
| sb16 | ||
| sun | ||
| tehuti | ||
| tigon | ||
| ttusb-budget | ||
| vicam | ||
| yam | ||
| yamaha | ||
| .gitignore | -rw-r--r-- | 39 bytes |
| Makefile | -rw-r--r-- | 10.9 KB |
| README.AddingFirmware | -rw-r--r-- | 1.7 KB |
| WHENCE | -rw-r--r-- | 26.3 KB |
| atmsar11.HEX | -rw-r--r-- | 18.7 KB |
| ihex2fw.c | -rw-r--r-- | 6.6 KB |
| mts_cdma.fw.ihex | -rw-r--r-- | 37.2 KB |
| mts_edge.fw.ihex | -rw-r--r-- | 37.8 KB |
| mts_gsm.fw.ihex | -rw-r--r-- | 37.2 KB |
| ti_3410.fw.ihex | -rw-r--r-- | 37.0 KB |
| ti_5052.fw.ihex | -rw-r--r-- | 37.0 KB |
| whiteheat.HEX | -rw-r--r-- | 43.9 KB |
| whiteheat_loader.HEX | -rw-r--r-- | 11.8 KB |
| whiteheat_loader_debug.HEX | -rw-r--r-- | 17.2 KB |
Computing file changes ...
