The patch titled
Subject: mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
has been added to the -mm tree. Its filename is
mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Roman Gushchin <klamm@xxxxxxxxxxxxxx>
Subject: mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
I noticed that "allowed" can easily overflow by falling below 0, because
(total_vm / 32) can be larger than "allowed". The problem occurs in
OVERCOMMIT_NONE mode.
In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode). All subsequent allocations will fall
(system-wide), so system become unusable.
The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory
It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.
Fix this issue by switching to signed arithmetic here.
Signed-off-by: Roman Gushchin <klamm@xxxxxxxxxxxxxx>
Cc: Andrew Shewmaker <agshew@xxxxxxxxx>
Cc: Rik van Riel <riel@xxxxxxxxxx>
Cc: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/nommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN mm/nommu.c~mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory mm/nommu.c
--- a/mm/nommu.c~mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory
+++ a/mm/nommu.c
@@ -1928,7 +1928,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
*/
int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
{
- unsigned long free, allowed, reserve;
+ long free, allowed, reserve;
vm_acct_memory(pages);
@@ -1992,7 +1992,7 @@ int __vm_enough_memory(struct mm_struct
*/
if (mm) {
reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
- allowed -= min(mm->total_vm / 32, reserve);
+ allowed -= min_t(long, mm->total_vm / 32, reserve);
}
if (percpu_counter_read_positive(&vm_committed_as) < allowed)
_
Patches currently in -mm which might be from klamm@xxxxxxxxxxxxxx are
mm-fix-arithmetic-overflow-in-__vm_enough_memory.patch
mm-fix-arithmetic-overflow-in-__vm_enough_memory-fix.patch
mm-nommuc-fix-arithmetic-overflow-in-__vm_enough_memory.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html