]>
Commit | Line | Data |
---|---|---|
04fd09d4 SL |
1 | From 589573fb8ded5e111e86f71bbec495c47039a7a0 Mon Sep 17 00:00:00 2001 |
2 | From: "Uladzislau Rezki (Sony)" <urezki@gmail.com> | |
3 | Date: Tue, 5 Mar 2019 15:45:59 -0800 | |
4 | Subject: mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! | |
5 | ||
6 | [ Upstream commit afd07389d3f4933c7f7817a92fb5e053d59a3182 ] | |
7 | ||
8 | One of the vmalloc stress test case triggers the kernel BUG(): | |
9 | ||
10 | <snip> | |
11 | [60.562151] ------------[ cut here ]------------ | |
12 | [60.562154] kernel BUG at mm/vmalloc.c:512! | |
13 | [60.562206] invalid opcode: 0000 [#1] PREEMPT SMP PTI | |
14 | [60.562247] CPU: 0 PID: 430 Comm: vmalloc_test/0 Not tainted 4.20.0+ #161 | |
15 | [60.562293] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 | |
16 | [60.562351] RIP: 0010:alloc_vmap_area+0x36f/0x390 | |
17 | <snip> | |
18 | ||
19 | it can happen due to big align request resulting in overflowing of | |
20 | calculated address, i.e. it becomes 0 after ALIGN()'s fixup. | |
21 | ||
22 | Fix it by checking if calculated address is within vstart/vend range. | |
23 | ||
24 | Link: http://lkml.kernel.org/r/20190124115648.9433-2-urezki@gmail.com | |
25 | Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com> | |
26 | Reviewed-by: Andrew Morton <akpm@linux-foundation.org> | |
27 | Cc: Ingo Molnar <mingo@elte.hu> | |
28 | Cc: Joel Fernandes <joelaf@google.com> | |
29 | Cc: Matthew Wilcox <willy@infradead.org> | |
30 | Cc: Michal Hocko <mhocko@suse.com> | |
31 | Cc: Oleksiy Avramchenko <oleksiy.avramchenko@sonymobile.com> | |
32 | Cc: Steven Rostedt <rostedt@goodmis.org> | |
33 | Cc: Tejun Heo <tj@kernel.org> | |
34 | Cc: Thomas Garnier <thgarnie@google.com> | |
35 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
36 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
37 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
38 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
39 | --- | |
40 | mm/vmalloc.c | 6 +++++- | |
41 | 1 file changed, 5 insertions(+), 1 deletion(-) | |
42 | ||
43 | diff --git a/mm/vmalloc.c b/mm/vmalloc.c | |
44 | index 8d9f636d0c98..6c906f6f16cc 100644 | |
45 | --- a/mm/vmalloc.c | |
46 | +++ b/mm/vmalloc.c | |
47 | @@ -498,7 +498,11 @@ nocache: | |
48 | } | |
49 | ||
50 | found: | |
51 | - if (addr + size > vend) | |
52 | + /* | |
53 | + * Check also calculated address against the vstart, | |
54 | + * because it can be 0 because of big align request. | |
55 | + */ | |
56 | + if (addr + size > vend || addr < vstart) | |
57 | goto overflow; | |
58 | ||
59 | va->va_start = addr; | |
60 | -- | |
61 | 2.19.1 | |
62 |