mm: fix overflow in vm_map_ram()

When remapping pages accounting for 4G or more memory space, the
operation 'count << PAGE_SHIFT' overflows as it is performed on an
integer.  Solution: cast before doing the bitshift.

[akpm@linux-foundation.org: fix vm_unmap_ram() also]
[akpm@linux-foundation.org: fix vmap() as well, per Guillermo]
Link: http://lkml.kernel.org/r/etPan.57175fb3.7a271c6b.2bd@naudit.es
Signed-off-by: Guillermo Julián Moreno <guillermo.julian@naudit.es>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 5 insertions, 4 deletions

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index cf7ad1a53be0..e11475cdeb7a 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1105,7 +1105,7 @@ EXPORT_SYMBOL_GPL(vm_unmap_aliases);
  */
 void vm_unmap_ram(const void *mem, unsigned int count)
 {
-        unsigned long size = count << PAGE_SHIFT;
+        unsigned long size = (unsigned long)count << PAGE_SHIFT;
         unsigned long addr = (unsigned long)mem;
 
         BUG_ON(!addr);
@@ -1140,7 +1140,7 @@ EXPORT_SYMBOL(vm_unmap_ram);
  */
 void *vm_map_ram(struct page **pages, unsigned int count, int node, pgprot_t prot)
 {
-        unsigned long size = count << PAGE_SHIFT;
+        unsigned long size = (unsigned long)count << PAGE_SHIFT;
         unsigned long addr;
         void *mem;
 
@@ -1574,14 +1574,15 @@ void *vmap(struct page **pages, unsigned int count,
                 unsigned long flags, pgprot_t prot)
 {
         struct vm_struct *area;
+        unsigned long size;             /* In bytes */
 
         might_sleep();
 
         if (count > totalram_pages)
                 return NULL;
 
-        area = get_vm_area_caller((count << PAGE_SHIFT), flags,
-                                        __builtin_return_address(0));
+        size = (unsigned long)count << PAGE_SHIFT;
+        area = get_vm_area_caller(size, flags, __builtin_return_address(0));
         if (!area)
                 return NULL;