From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
linuxppc-dev list <linuxppc-dev@ozlabs.org>
Cc: Theodore Ts'o <tytso@mit.edu>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Justin Forbes <jmforbes@linuxtx.org>,
Domenico Andreoli <cavokz@gmail.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Paul Mackerras <paulus@samba.org>,
Randy Dunlap <rdunlap@xenotime.net>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>, Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
alan@lxorguk.ukuu.org.uk
Subject: [patch 07/12] powerpc: Fix size check for hugetlbfs
Date: Tue, 14 Aug 2007 00:29:18 -0700 [thread overview]
Message-ID: <20070814072918.GG15025@kroah.com> (raw)
In-Reply-To: <20070814072813.GA15025@kroah.com>
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
My "slices" address space management code that was added in 2.6.22
implementation of get_unmapped_area() doesn't properly check that the
size is a multiple of the requested page size. This allows userland to
create VMAs that aren't a multiple of the huge page size with hugetlbfs
(since hugetlbfs entirely relies on get_unmapped_area() to do that
checking) which leads to a kernel BUG() when such areas are torn down.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/powerpc/mm/slice.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/mm/slice.c
+++ b/arch/powerpc/mm/slice.c
@@ -405,6 +405,8 @@ unsigned long slice_get_unmapped_area(un
if (len > mm->task_size)
return -ENOMEM;
+ if (len & ((1ul << pshift) - 1))
+ return -EINVAL;
if (fixed && (addr & ((1ul << pshift) - 1)))
return -EINVAL;
if (fixed && addr > (mm->task_size - len))
--
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
linuxppc-dev list <linuxppc-dev@ozlabs.org>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: [patch 07/12] powerpc: Fix size check for hugetlbfs
Date: Tue, 14 Aug 2007 00:29:18 -0700 [thread overview]
Message-ID: <20070814072918.GG15025@kroah.com> (raw)
In-Reply-To: <20070814072813.GA15025@kroah.com>
[-- Attachment #1: powerpc-fix-size-check-for-hugetlbfs.patch --]
[-- Type: text/plain, Size: 1147 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
My "slices" address space management code that was added in 2.6.22
implementation of get_unmapped_area() doesn't properly check that the
size is a multiple of the requested page size. This allows userland to
create VMAs that aren't a multiple of the huge page size with hugetlbfs
(since hugetlbfs entirely relies on get_unmapped_area() to do that
checking) which leads to a kernel BUG() when such areas are torn down.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/powerpc/mm/slice.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/mm/slice.c
+++ b/arch/powerpc/mm/slice.c
@@ -405,6 +405,8 @@ unsigned long slice_get_unmapped_area(un
if (len > mm->task_size)
return -ENOMEM;
+ if (len & ((1ul << pshift) - 1))
+ return -EINVAL;
if (fixed && (addr & ((1ul << pshift) - 1)))
return -EINVAL;
if (fixed && addr > (mm->task_size - len))
--
next prev parent reply other threads:[~2007-08-14 7:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070814072244.882283903@mini.kroah.org>
2007-08-14 7:28 ` [patch 00/12] 2.6.22-stable review Greg KH
2007-08-14 7:28 ` [patch 01/12] fix oops in __audit_signal_info() Greg KH
2007-08-14 7:28 ` [patch 02/12] random: fix bound check ordering (CVE-2007-3105) Greg KH
2007-08-14 7:28 ` [patch 03/12] softmac: Fix deadlock of wx_set_essid with assoc work Greg KH
2007-08-14 7:28 ` Greg KH
2007-08-14 7:29 ` [patch 04/12] ata_piix: update map 10b for ich8m Greg KH
2007-08-14 7:29 ` [patch 05/12] PPC: Revert "Dont complain if size-cells == 0 in prom_parse()" Greg KH
2007-08-14 7:29 ` Greg KH [this message]
2007-08-14 7:29 ` [patch 07/12] powerpc: Fix size check for hugetlbfs Greg KH
2007-08-14 7:56 ` David Gibson
2007-08-14 7:56 ` David Gibson
2007-08-14 7:29 ` [patch 06/12] PPC: Revert "Add mdio to bus scan id list for platforms with QE UEC" Greg KH
2007-08-14 7:29 ` [patch 08/12] direct-io: fix error-path crashes Greg KH
2007-08-14 7:29 ` [patch 12/12] CPUFREQ: ondemand: add a check to avoid negative load calculation Greg KH
2007-08-14 7:29 ` [patch 11/12] CPUFREQ: ondemand: fix tickless accounting and software coordination bug Greg KH
2007-08-14 7:29 ` [patch 10/12] pata_atiixp: add SB700 PCI ID Greg KH
2007-08-14 7:29 ` [patch 09/12] stifb: detect cards in double buffer mode more reliably Greg KH
2007-08-14 16:13 ` [patch 00/12] 2.6.22-stable review Prakash Punnoor
2007-08-14 16:04 ` Greg KH
2007-08-14 17:02 ` Prakash Punnoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070814072918.GG15025@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=mkrufky@linuxtv.org \
--cc=paulus@samba.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.