On Wed, 2012-03-28 at 19:25 -0700, Laura Abbott wrote: > Currently in __memblock_remove, the check to trim the top of > a block off only checks if the requested base is less than the > memblock end. If the end of the requested region is equal to > the start of a memblock, this will incorrectly try to remove > the block, possibly causing an integer underflow: > > --------------------------------------- > | | | > | | | > base end = rgn->base rend > > An additional check is needed to see if the end of the requested > region is greater than the memblock region: __memblock_remove() open coded logic is gone now, re-implemented in term of memblock_isolate_range()... though I suppose your patch might have value in -stable... Cheers, Ben. > ---------------------- > | | > | | > rgn->base base rend end > | | > | | > -------------------- > > Signed-off-by: Laura Abbott <lauraa@xxxxxxxxxxxxxx> > --- > mm/memblock.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/mm/memblock.c b/mm/memblock.c > index 5338237..e174ee0 100644 > --- a/mm/memblock.c > +++ b/mm/memblock.c > @@ -459,7 +459,7 @@ static long __init_memblock __memblock_remove(struct memblock_type *type, > } > > /* And check if we need to trim the top of a block */ > - if (base < rend) > + if (base < rend && end > rend) > rgn->size -= rend - base; > > } -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/ Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>