tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mm: cma: fix incorrect type conversion for size during dma allocation

This was found during userspace fuzzing test when a large size dma cma
allocation is made by driver(like ion) through userspace.

show_stack+0x10/0x1c
dump_stack+0x74/0xc8
kasan_report_error+0x2b0/0x408
kasan_report+0x34/0x40
__asan_storeN+0x15c/0x168
memset+0x20/0x44
__dma_alloc_coherent+0x114/0x18c

Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Rohit Vaswani and committed by
Linus Torvalds 67a2e213 52116139

+6 -6
+1 -1
drivers/base/dma-contiguous.c
··· 187 187 * global one. Requires architecture specific dev_get_cma_area() helper 188 188 * function. 189 189 */ 190 - struct page *dma_alloc_from_contiguous(struct device *dev, int count, 190 + struct page *dma_alloc_from_contiguous(struct device *dev, size_t count, 191 191 unsigned int align) 192 192 { 193 193 if (align > CONFIG_CMA_ALIGNMENT)
+1 -1
include/linux/cma.h
··· 26 26 extern int cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, 27 27 unsigned int order_per_bit, 28 28 struct cma **res_cma); 29 - extern struct page *cma_alloc(struct cma *cma, unsigned int count, unsigned int align); 29 + extern struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align); 30 30 extern bool cma_release(struct cma *cma, const struct page *pages, unsigned int count); 31 31 #endif
+2 -2
include/linux/dma-contiguous.h
··· 111 111 return ret; 112 112 } 113 113 114 - struct page *dma_alloc_from_contiguous(struct device *dev, int count, 114 + struct page *dma_alloc_from_contiguous(struct device *dev, size_t count, 115 115 unsigned int order); 116 116 bool dma_release_from_contiguous(struct device *dev, struct page *pages, 117 117 int count); ··· 144 144 } 145 145 146 146 static inline 147 - struct page *dma_alloc_from_contiguous(struct device *dev, int count, 147 + struct page *dma_alloc_from_contiguous(struct device *dev, size_t count, 148 148 unsigned int order) 149 149 { 150 150 return NULL;
+2 -2
mm/cma.c
··· 361 361 * This function allocates part of contiguous memory on specific 362 362 * contiguous memory area. 363 363 */ 364 - struct page *cma_alloc(struct cma *cma, unsigned int count, unsigned int align) 364 + struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align) 365 365 { 366 366 unsigned long mask, offset, pfn, start = 0; 367 367 unsigned long bitmap_maxno, bitmap_no, bitmap_count; ··· 371 371 if (!cma || !cma->count) 372 372 return NULL; 373 373 374 - pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma, 374 + pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma, 375 375 count, align); 376 376 377 377 if (!count)