Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 6b36ba599d602d8a73920fb5c470fe272fac49c1
commit6b36ba599d602d8a73920fb5c470fe272fac49c1[log] [tgz]
authorShiraz Hashim <shashim@codeaurora.org>Thu Nov 10 10:46:16 2016 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>Fri Nov 11 08:12:37 2016 -0800
tree013d0a9d0eb45539fe656545edcfded22e2ee37f
parenteef06b82f16c78dc0197e3e9d5b2230647a890ff [diff]
mm/cma.c: check the max limit for cma allocation

CMA allocation request size is represented by size_t that gets truncated
when same is passed as int to bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation request is too
high, bitmap_find_next_zero_area_off still returns success due to the
truncation.  This leads to kernel crash, as subsequent code assumes that
requested memory is available.

Fail cma allocation in case the request breaches the corresponding cma
region size.

Link: http://lkml.kernel.org/r/1478189211-3467-1-git-send-email-shashim@codeaurora.org
Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 file changed
tree: 013d0a9d0eb45539fe656545edcfded22e2ee37f
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS