lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 21 Aug 2018 08:20:38 +0200
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,, zhang jun <>,
        Takashi Iwai <>
Subject: [PATCH 4.18 12/35] ALSA: memalloc: Dont exceed over the requested size

4.18-stable review patch.  If anyone has any objections, please let me know.


From: Takashi Iwai <>

commit dfef01e150824b0e6da750cacda8958188d29aea upstream.

snd_dma_alloc_pages_fallback() tries to allocate pages again when the
allocation fails with reduced size.  But the first try actually
*increases* the size to power-of-two, which may give back a larger
chunk than the requested size.  This confuses the callers, e.g. sgbuf
assumes that the size is equal or less, and it may result in a bad
loop due to the underflow and eventually lead to Oops.

The code of this function seems incorrectly assuming the usage of
get_order().  We need to decrease at first, then align to

Reported-and-tested-by: he, bo <>
Reported-by: zhang jun <>
Cc: <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>

 sound/core/memalloc.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/sound/core/memalloc.c
+++ b/sound/core/memalloc.c
@@ -242,16 +242,12 @@ int snd_dma_alloc_pages_fallback(int typ
 	int err;
 	while ((err = snd_dma_alloc_pages(type, device, size, dmab)) < 0) {
-		size_t aligned_size;
 		if (err != -ENOMEM)
 			return err;
 		if (size <= PAGE_SIZE)
 			return -ENOMEM;
-		aligned_size = PAGE_SIZE << get_order(size);
-		if (size != aligned_size)
-			size = aligned_size;
-		else
-			size >>= 1;
+		size >>= 1;
+		size = PAGE_SIZE << get_order(size);
 	if (! dmab->area)
 		return -ENOMEM;

Powered by blists - more mailing lists