Patch: Re: boundary condition bug fix for vmalloc()

Stephen C. Tweedie (sct@redhat.com)
Thu, 22 Apr 1999 16:30:01 +0100 (BST)


Hi,

On Wed, 21 Apr 1999 17:12:37 -0700 (PDT), kanoj@google.engr.sgi.com
(Kanoj Sarcar) said:

> Under heavy load conditions, get_vm_area() might end up allocating an
> address range beyond VMALLOC_END. The problem is after the for loop in
> get_vm_area() terminates, no consistency check (addr > VMALLOC_END -
> size) is performed on the "addr".

Agreed, and the patch looks OK. Moving the test outside the for loop
entirely has the same effect while shaving a few cycles off the
function. The existing clearly broken in not checking the size of the
final area if we ran off the end of the vm_area chain.

--Stephen

----------------------------------------------------------------
--- mm/vmalloc.c~ Mon Jan 18 18:19:28 1999
+++ mm/vmalloc.c Thu Apr 22 16:12:58 1999
@@ -161,11 +161,11 @@
for (p = &vmlist; (tmp = *p) ; p = &tmp->next) {
if (size + addr < (unsigned long) tmp->addr)
break;
- if (addr > VMALLOC_END-size) {
- kfree(area);
- return NULL;
- }
addr = tmp->size + (unsigned long) tmp->addr;
+ }
+ if (addr > VMALLOC_END-size) {
+ kfree(area);
+ return NULL;
}
area->addr = (void *)addr;
area->size = size + PAGE_SIZE;
----------------------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/