From ca95ed6a5776c38861f85ff005e8347c8ea41db5 Mon Sep 17 00:00:00 2001
From: Shiraz Hashim <shashim@codeaurora.org>
Date: Thu, 3 Nov 2016 15:24:35 +0530
Subject: [PATCH] mm: cma: check the max limit for cma allocation

CMA allocation request size is represented by size_t that
gets truncated when same is passed as int to
bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation
request is too high, bitmap_find_next_zero_area_off still
returns success due to the truncation. This leads to
kernel crash, as subsequent code assumes that requested
memory is available.

Fail cma allocation in case the request breaches the
corresponding cma region size.

Change-Id: Ieb5fd8429726efd7686387bccb55952fb053280a
Signed-off-by: Shiraz Hashim <shashim@codeaurora.org>
---
 mm/cma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/cma.c b/mm/cma.c
index 9ff71db72bc5..b55caef2454a 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -392,6 +392,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
 	bitmap_maxno = cma_bitmap_maxno(cma);
 	bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+	if (bitmap_count > bitmap_maxno)
+		return NULL;
+
 	for (;;) {
 		mutex_lock(&cma->lock);
 		bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,