[PATCH] Fix bound checking in do_mmap

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Fix bound checking in do_mmap_pgoff()
@ 2004-09-19  8:07 Benjamin Herrenschmidt
  2004-09-19 12:59 ` Hugh Dickins
  0 siblings, 1 reply; 3+ messages in thread
From: Benjamin Herrenschmidt @ 2004-09-19  8:07 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Linux Kernel list, Linus Torvalds, Segher Boessenkool

Hi !

A small issue has been forever in do_mmap_pgoff() in the boundary checking
in the sense that it won't let you mmap with offset+len enclosing the last
page of the "address space". For example, an mmap of /dev/mem won't let you
map the last page of the physical address space (which I need for a ROM dump
tool on pmac). This fixes it:

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>

===== mm/mmap.c 1.144 vs edited =====
--- 1.144/mm/mmap.c	2004-09-03 19:08:17 +10:00
+++ edited/mm/mmap.c	2004-09-19 18:04:34 +10:00
@@ -801,7 +801,7 @@
 		return -EINVAL;
 
 	/* offset overflow? */
-	if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
+	if ((pgoff + (len >> PAGE_SHIFT) - 1) < pgoff)
 		return -EINVAL;
 
 	/* Too many mappings? */



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix bound checking in do_mmap_pgoff()
  2004-09-19  8:07 [PATCH] Fix bound checking in do_mmap_pgoff() Benjamin Herrenschmidt
@ 2004-09-19 12:59 ` Hugh Dickins
  2004-09-19 13:09   ` Benjamin Herrenschmidt
  0 siblings, 1 reply; 3+ messages in thread
From: Hugh Dickins @ 2004-09-19 12:59 UTC (permalink / raw)
  To: Benjamin Herrenschmidt
  Cc: Andrew Morton, Linux Kernel list, Linus Torvalds,
	Segher Boessenkool

On Sun, 19 Sep 2004, Benjamin Herrenschmidt wrote:
> 
> A small issue has been forever in do_mmap_pgoff() in the boundary checking
> in the sense that it won't let you mmap with offset+len enclosing the last
> page of the "address space". For example, an mmap of /dev/mem won't let you
> map the last page of the physical address space (which I need for a ROM dump
> tool on pmac). This fixes it:
> -	if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
> +	if ((pgoff + (len >> PAGE_SHIFT) - 1) < pgoff)

Your physical address space happens to be 16TB?  Okay...

I think you need to add in the patch below, to prevent mismerging of vmas.
There might be other places which would get confused by an end pgoff of 0.

Hugh

--- 2.6.9-rc2/mm/mmap.c	2004-09-13 17:54:41.000000000 +0100
+++ linux/mm/mmap.c	2004-09-19 13:50:07.650860552 +0100
@@ -529,10 +529,6 @@ static inline int is_mergeable_anon_vma(
  *
  * We cannot merge two vmas if they have differently assigned (non-NULL)
  * anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
- *
- * We don't check here for the merged mmap wrapping around the end of pagecache
- * indices (16TB on ia32) because do_mmap_pgoff() does not permit mmap's which
- * wrap, nor mmaps which cover the final page at index -1UL.
  */
 static int
 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
@@ -540,7 +536,7 @@ can_vma_merge_before(struct vm_area_stru
 {
 	if (is_mergeable_vma(vma, file, vm_flags) &&
 	    is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
-		if (vma->vm_pgoff == vm_pgoff)
+		if (vma->vm_pgoff == vm_pgoff && vm_pgoff != 0)
 			return 1;
 	}
 	return 0;
@@ -561,7 +557,7 @@ can_vma_merge_after(struct vm_area_struc
 	    is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
 		pgoff_t vm_pglen;
 		vm_pglen = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-		if (vma->vm_pgoff + vm_pglen == vm_pgoff)
+		if (vma->vm_pgoff + vm_pglen == vm_pgoff && vm_pgoff != 0)
 			return 1;
 	}
 	return 0;


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix bound checking in do_mmap_pgoff()
  2004-09-19 12:59 ` Hugh Dickins
@ 2004-09-19 13:09   ` Benjamin Herrenschmidt
  0 siblings, 0 replies; 3+ messages in thread
From: Benjamin Herrenschmidt @ 2004-09-19 13:09 UTC (permalink / raw)
  To: Hugh Dickins
  Cc: Andrew Morton, Linux Kernel list, Linus Torvalds,
	Segher Boessenkool

On Sun, 2004-09-19 at 22:59, Hugh Dickins wrote:
> On Sun, 19 Sep 2004, Benjamin Herrenschmidt wrote:
> > 
> > A small issue has been forever in do_mmap_pgoff() in the boundary checking
> > in the sense that it won't let you mmap with offset+len enclosing the last
> > page of the "address space". For example, an mmap of /dev/mem won't let you
> > map the last page of the physical address space (which I need for a ROM dump
> > tool on pmac). This fixes it:
> > -	if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
> > +	if ((pgoff + (len >> PAGE_SHIFT) - 1) < pgoff)
> 
> Your physical address space happens to be 16TB?  Okay...

hrm... nope... my bad, the problem comes from elsewhere, sorry. I need
to look at it again.

> I think you need to add in the patch below, to prevent mismerging of vmas.
> There might be other places which would get confused by an end pgoff of 0.

Ok, that's becoming more tricky then, Andrew, of course drop the bogus
patch for now, I'll look into more details later if I find time. In the
meantime, we'll continue use a special kernel module for doing the
ROM dump.

Ben.
 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-09-19 13:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-19  8:07 [PATCH] Fix bound checking in do_mmap_pgoff() Benjamin Herrenschmidt
2004-09-19 12:59 ` Hugh Dickins
2004-09-19 13:09   ` Benjamin Herrenschmidt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.