2008-11-10 08:44:17

by wzt wzt

[permalink] [raw]
Subject: Is it a bug with __get_vm_area_node?

the __get_vm_area_node() doesn't check the parameter start and end.

__get_vm_area_node() called by __get_vm_area(), its a export function.

If some drivers pass a bad value to start, such as 0. it will
something wrong with vmlist.


static struct vm_struct *
__get_vm_area_node(unsigned long size, unsigned long flags, unsigned long start,
unsigned long end, int node, gfp_t gfp_mask, void *caller)
{

...

write_lock(&vmlist_lock);
for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
if ((unsigned long)tmp->addr < addr) {
if((unsigned long)tmp->addr + tmp->size >= addr)
addr = ALIGN(tmp->size +
(unsigned long)tmp->addr, align);
continue;
}
if ((size + addr) < addr)
goto out;
if (size + addr <= (unsigned long)tmp->addr) // if
addr is 0, the loop will be immediately break.
goto found;
addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
if (addr > end - size)
goto out;
}
if ((size + addr) < addr)
goto out;
if (addr > end - size)
goto out;

// if addr is 0, it will be add a trash vm_struct to vmlist.
found:
area->next = *p;
*p = area;

area->flags = flags;
area->addr = (void *)addr;
area->size = size;
area->pages = NULL;
area->nr_pages = 0;
area->phys_addr = 0;
area->caller = caller;
write_unlock(&vmlist_lock);

return area;
...
}

I don't kown, weather it's a bug.

If it's a bug, my patch is:

--- linux-2.6.27.orig/mm/vmalloc.c 2008-11-11 00:22:28.000000000 +0800
+++ linux-2.6.27/mm/vmalloc.c 2008-11-11 00:28:31.000000000 +0800
@@ -214,6 +214,9 @@ __get_vm_area_node(unsigned long size, u
unsigned long align = 1;
unsigned long addr;

+ if (start < VMALLOC_START || end > VMALLOC_END)
+ return NULL;
+
BUG_ON(in_interrupt());
if (flags & VM_IOREMAP) {
int bit = fls(size);