• Roman Gushchin's avatar
    mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() · c529da02
    Roman Gushchin authored
    commit 5703b087 upstream.
    
    I noticed, that "allowed" can easily overflow by falling below 0,
    because (total_vm / 32) can be larger than "allowed".  The problem
    occurs in OVERCOMMIT_NONE mode.
    
    In this case, a huge allocation can success and overcommit the system
    (despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
    (system-wide), so system become unusable.
    
    The problem was masked out by commit c9b1d098
    ("mm: limit growth of 3% hardcoded other user reserve"),
    but it's easy to reproduce it on older kernels:
    1) set overcommit_memory sysctl to 2
    2) mmap() large file multiple times (with VM_SHARED flag)
    3) try to malloc() large amount of memory
    
    It also can be reproduced on newer kernels, but miss-configured
    sysctl_user_reserve_kbytes is required.
    
    Fix this issue by switching to signed arithmetic here.
    
    [akpm@linux-foundation.org: use min_t]
    Signed-off-by: default avatarRoman Gushchin <klamm@yandex-team.ru>
    Cc: Andrew Shewmaker <agshew@gmail.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Reviewed-by: default avatarMichal Hocko <mhocko@suse.cz>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    [bwh: Backported to 3.2: there is no 'reserved' variable]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    c529da02
mmap.c 69.7 KB