From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750995AbbD3FO0 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 30 Apr 2015 01:14:26 -0400
Received: from mail-pa0-f42.google.com ([209.85.220.42]:35657 "EHLO
	mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750705AbbD3FOZ (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 30 Apr 2015 01:14:25 -0400
From: "Reese Faucette" <reesefaucette@gmail.com>
To: <linux-kernel@vger.kernel.org>
Cc: <alan@lxorguk.ukuu.org.uk>
Subject: [PATCH] overflow check calculation in mm/mmap.c is incorrect linux-3.12.38
Date: Wed, 29 Apr 2015 22:14:19 -0700
Message-ID: <007301d08304$85881420$90983c60$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdCDA/NnxIaEQLxETJWP6qVxc4s9nw==
Content-Language: en-us
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When checking for overflow, the code in mm/mmap.c compares the first byte
*after* the end of mapped region to the start of the region instead of the
last byte of the mapped region.  This prevents mapping a region which abuts
the end of physical space, as mmap() incorrectly rejects the region with
-EOVERFLOW, because pgoff + (len >> PAGE_SHIFT) will be 0, which is < pgoff.
-reese

Reese Faucette
Cisco Systems, Inc.

====================================================
--- mm/mmap.c
+++ mm/mmap.c
@@ -1241,7 +1241,7 @@
                return -ENOMEM;

        /* offset overflow? */
-       if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
+       if ((pgoff + (len >> PAGE_SHIFT) - 1) < pgoff)
                return -EOVERFLOW;

        /* Too many mappings? */