--- /dev/null
+From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 19 Jun 2017 17:34:05 +0200
+Subject: Allow stack to grow up to address space limit
+
+From: Helge Deller <deller@gmx.de>
+
+commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
+
+Fix expand_upwards() on architectures with an upward-growing stack (parisc,
+metag and partly IA-64) to allow the stack to reliably grow exactly up to
+the address space limit given by TASK_SIZE.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2228,16 +2228,19 @@ int expand_upwards(struct vm_area_struct
+ if (!(vma->vm_flags & VM_GROWSUP))
+ return -EFAULT;
+
+- /* Guard against wrapping around to address 0. */
++ /* Guard against exceeding limits of the address space. */
+ address &= PAGE_MASK;
+- address += PAGE_SIZE;
+- if (!address)
++ if (address >= TASK_SIZE)
+ return -ENOMEM;
++ address += PAGE_SIZE;
+
+ /* Enforce stack_guard_gap */
+ gap_addr = address + stack_guard_gap;
+- if (gap_addr < address)
+- return -ENOMEM;
++
++ /* Guard against overflow */
++ if (gap_addr < address || gap_addr > TASK_SIZE)
++ gap_addr = TASK_SIZE;
++
+ next = vma->vm_next;
+ if (next && next->vm_start < gap_addr) {
+ if (!(next->vm_flags & VM_GROWSUP))
--- /dev/null
+From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Tue, 20 Jun 2017 02:10:44 -0700
+Subject: mm: fix new crash in unmapped_area_topdown()
+
+From: Hugh Dickins <hughd@google.com>
+
+commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.
+
+Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
+mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
+end of unmapped_area_topdown(). Linus points out how MAP_FIXED
+(which does not have to respect our stack guard gap intentions)
+could result in gap_end below gap_start there. Fix that, and
+the similar case in its alternative, unmapped_area().
+
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1817,7 +1817,8 @@ check_current:
+ /* Check if current node has a suitable gap */
+ if (gap_start > high_limit)
+ return -ENOMEM;
+- if (gap_end >= low_limit && gap_end - gap_start >= length)
++ if (gap_end >= low_limit &&
++ gap_end > gap_start && gap_end - gap_start >= length)
+ goto found;
+
+ /* Visit right subtree if it looks promising */
+@@ -1920,7 +1921,8 @@ check_current:
+ gap_end = vm_start_gap(vma);
+ if (gap_end < low_limit)
+ return -ENOMEM;
+- if (gap_start <= high_limit && gap_end - gap_start >= length)
++ if (gap_start <= high_limit &&
++ gap_end > gap_start && gap_end - gap_start >= length)
+ goto found;
+
+ /* Visit left subtree if it looks promising */
projects / thirdparty / kernel / stable-queue.git / commitdiff
