Project

General

Profile

Actions

Bug #8622

closed

panic in PTE_set_all()

Added by Hans Rosenfeld about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Category:
kernel
Start date:
2017-09-07
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

The code path in immu_map_dvmaseg() that deals with a situation when a DMA request needs more than IMMU_NDCK cookies passes a too high npages argument to dvma_map(), leading to a panic in PTE_set_all().

The problem is that npages is increased before the block dealing with this situation, but the old value is needed in that block. When the npages argument is one too large, the for loop over the cookies in PTE_set_all() loops all the way to the end, causing an access to dcookies[-1] later and the attempt to map an invalid address. npages needs to be at most the sum of all pages of all the cookies.

Actions

Also available in: Atom PDF