possible bug in ppc_vm_region_alloc()
Yossi Etigin
yosefe at voltaire.com
Tue Aug 3 16:21:12 EST 2010
Hello,
(I repost this because looks like the previous was filtered because I
was not subscribed to the list)
We are looking at dma_alloc_coherent(), which uses ppc_vm_region_alloc()
on the coherent region "consistent_head".
It seems to us there is a bug in the function ppc_vm_region_alloc().
The check "if (addr > end)" should be "if (addr >= end)"
If for example it is called once when the size is the entire coherent
region, the second time it will allocate a region outside the valid
memory.
It will happen because the list will contain one element (besides the
head) which is equal to the head, and neither condition will cause a
"goto nospc". Then the list iteration will end and the new region will
be allocated right after the valid region.
list_for_each_entry(c, &head->vm_list, vm_list) {
if ((addr + size) < addr)
goto nospc;
if ((addr + size) <= c->vm_start)
goto found;
addr = c->vm_end;
if (addr > end) <=== here
goto nospc;
}
--Yossi
More information about the Linuxppc-dev
mailing list