Re: [patch] mm: vmap fix overflow
From: Andrew Morton
Date: Tue Feb 10 2009 - 17:45:27 EST
On Tue, 10 Feb 2009 06:51:19 +0100
Nick Piggin <npiggin@xxxxxxx> wrote:
> This patch is appropriate for 2.6.28 too.
>
> --
>
> The new vmap allocator can wrap the address and get confused in the case of
> large allocations or VMALLOC_END near the end of address space.
>
> Problem reported by Christoph Hellwig on a 32-bit XFS workload.
>
> Signed-off-by: Nick Piggin <npiggin@xxxxxxx>
> ---
> mm/vmalloc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> Index: linux-2.6/mm/vmalloc.c
> ===================================================================
> --- linux-2.6.orig/mm/vmalloc.c
> +++ linux-2.6/mm/vmalloc.c
> @@ -334,6 +334,9 @@ retry:
> addr = ALIGN(vstart, align);
>
> spin_lock(&vmap_area_lock);
> + if (addr + size < addr)
> + goto overflow;
> +
> /* XXX: could have a last_hole cache */
> n = vmap_area_root.rb_node;
> if (n) {
> @@ -365,6 +368,8 @@ retry:
>
> while (addr + size > first->va_start && addr + size <= vend) {
> addr = ALIGN(first->va_end + PAGE_SIZE, align);
> + if (addr + size < addr)
> + goto overflow;
>
> n = rb_next(&first->rb_node);
> if (n)
> @@ -375,6 +380,7 @@ retry:
> }
> found:
> if (addr + size > vend) {
> +overflow:
> spin_unlock(&vmap_area_lock);
> if (!purged) {
> purge_vmap_area_lazy();
well...
If a caller tries to allocate 0x1000 bytes at address 0xfffff000, this
code will think that it overflowed. But it didn't.
Presumably nobody ever tries to do that, but it seems a bit sloppy?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/