mm: cma: check the max limit for cma allocation

CMA allocation request size is represented by size_t that gets truncated when same is passed as int to bitmap_find_next_zero_area_off. We observe that during fuzz testing when cma allocation request is too high, bitmap_find_next_zero_area_off still returns success due to the truncation. This leads to kernel crash, as subsequent code assumes that requested memory is available. Fail cma allocation in case the request breaches the corresponding cma region size. Change-Id: Ieb5fd8429726efd7686387bccb55952fb053280a Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
author: Shiraz Hashim <shashim@codeaurora.org> 2016-11-03 15:24:35 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-11-16 05:53:10 -0800
commit: ca95ed6a5776c38861f85ff005e8347c8ea41db5 (patch)
tree: 9a3a6050947d8d27fd1bc608ece3974b3404ece7 /mm/cma.c
parent: 1e1700765225e4aa31d076f78c9937bd93509083 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/mm/cma.c b/mm/cma.c
index 9ff71db72bc5..b55caef2454a 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -392,6 +392,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
 	bitmap_maxno = cma_bitmap_maxno(cma);
 	bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+	if (bitmap_count > bitmap_maxno)
+		return NULL;
+
 	for (;;) {
 		mutex_lock(&cma->lock);
 		bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,
author	Shiraz Hashim <shashim@codeaurora.org>	2016-11-03 15:24:35 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-11-16 05:53:10 -0800
commit	ca95ed6a5776c38861f85ff005e8347c8ea41db5 (patch)
tree	9a3a6050947d8d27fd1bc608ece3974b3404ece7 /mm/cma.c
parent	1e1700765225e4aa31d076f78c9937bd93509083 (diff)