From patchwork Fri Feb 6 12:22:33 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guennadi Liakhovetski X-Patchwork-Id: 5870 X-Patchwork-Delegate: lethal@linux-sh.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n16CMTdn009764 for ; Fri, 6 Feb 2009 12:22:29 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752770AbZBFMW2 (ORCPT ); Fri, 6 Feb 2009 07:22:28 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752399AbZBFMW2 (ORCPT ); Fri, 6 Feb 2009 07:22:28 -0500 Received: from mail.gmx.net ([213.165.64.20]:49182 "HELO mail.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752408AbZBFMW1 (ORCPT ); Fri, 6 Feb 2009 07:22:27 -0500 Received: (qmail invoked by alias); 06 Feb 2009 12:22:25 -0000 Received: from p57BD2B6D.dip0.t-ipconnect.de (EHLO axis700.grange) [87.189.43.109] by mail.gmx.net (mp068) with SMTP; 06 Feb 2009 13:22:25 +0100 X-Authenticated: #20450766 X-Provags-ID: V01U2FsdGVkX18OnWhLFKYOVY4P7IwtdYA2eTT4icsQrdvLQzDKgu Sg/WiVkkje4QE7 Received: from lyakh (helo=localhost) by axis700.grange with local-esmtp (Exim 4.63) (envelope-from ) id 1LVPj7-0001yO-Jb; Fri, 06 Feb 2009 13:22:33 +0100 Date: Fri, 6 Feb 2009 13:22:33 +0100 (CET) From: Guennadi Liakhovetski X-X-Sender: lyakh@axis700.grange To: linux-kernel@vger.kernel.org cc: Paul Mundt , Andrew Morton , adrian@newgolddream.dyndns.info, lkmladrian@gmail.com, linux-sh@vger.kernel.org, penberg@cs.helsinki.fi, dbaryshkov@gmail.com, penguin-kernel@i-love.sakura.ne.jp, hannes@cmpxchg.org Subject: [PATCH] fix broken size test in bitmap_find_free_region() In-Reply-To: Message-ID: References: <8b67d60901201348r6a59928dw3fcf8c9c823d5c68@mail.gmail.com> <1232488507.6794.8.camel@localhost.localdomain> <20090121033951.GB14094@linux-sh.org> <20090121081118.GA14537@linux-sh.org> <20090127134831.3dd04182.akpm@linux-foundation.org> <20090127225458.GA8756@linux-sh.org> MIME-Version: 1.0 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.58 Sender: linux-sh-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sh@vger.kernel.org This loop and test in bitmap_find_free_region() for (pos = 0; pos < bits; pos += (1 << order)) if (__reg_op(bitmap, pos, order, REG_OP_ISFREE)) break; if (pos == bits) return -ENOMEM; can only return an error (-ENOMEM) if bits is a multiple of (1 << order), which is, for instance, true, if bits is (also) a power of 2. This is not necessarily the case with dma_alloc_from_coherent(). A failure to recognise too large a request leads in dma_alloc_from_coherent() to accessing beyond available memory, and to writing beyond the bitmap. Signed-off-by: Guennadi Liakhovetski --- -- To unsubscribe from this list: send the line "unsubscribe linux-sh" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/lib/bitmap.c b/lib/bitmap.c index 1338469..d49c37f 100644 --- a/lib/bitmap.c +++ b/lib/bitmap.c @@ -953,7 +953,7 @@ int bitmap_find_free_region(unsigned long *bitmap, int bits, int order) for (pos = 0; pos < bits; pos += (1 << order)) if (__reg_op(bitmap, pos, order, REG_OP_ISFREE)) break; - if (pos == bits) + if (pos + (1 << order) > bits) return -ENOMEM; __reg_op(bitmap, pos, order, REG_OP_ALLOC); return pos;