The patch titled bitmap: fix size test in bitmap_find_free_region() has been removed from the -mm tree. Its filename was bitmap-fix-size-test-in-bitmap_find_free_region.patch This patch was dropped because an alternative patch was merged The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: bitmap: fix size test in bitmap_find_free_region() From: Guennadi Liakhovetski <lg@xxxxxxx> This loop and test in bitmap_find_free_region() for (pos = 0; pos < bits; pos += (1 << order)) if (__reg_op(bitmap, pos, order, REG_OP_ISFREE)) break; if (pos == bits) return -ENOMEM; can only return an error (-ENOMEM) if bits is a multiple of (1 << order), which is true only if bits is (also) a power of 2. This is not necessarily the case with dma_alloc_from_coherent(). A failure to recognise too large a request leads to dma_alloc_from_coherent() accessing beyond available memory, and writing beyond the bitmap. Signed-off-by: Guennadi Liakhovetski <lg@xxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN lib/bitmap.c~bitmap-fix-size-test-in-bitmap_find_free_region lib/bitmap.c --- a/lib/bitmap.c~bitmap-fix-size-test-in-bitmap_find_free_region +++ a/lib/bitmap.c @@ -953,7 +953,7 @@ int bitmap_find_free_region(unsigned lon for (pos = 0; pos < bits; pos += (1 << order)) if (__reg_op(bitmap, pos, order, REG_OP_ISFREE)) break; - if (pos == bits) + if (pos + (1 << order) > bits) return -ENOMEM; __reg_op(bitmap, pos, order, REG_OP_ALLOC); return pos; _ Patches currently in -mm which might be from lg@xxxxxxx are origin.patch bitmap-fix-size-test-in-bitmap_find_free_region.patch linux-next.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html