]>
Commit | Line | Data |
---|---|---|
ba172962 SL |
1 | From 99ee7f5d19e043a51116b66b2ab12345d2616aa3 Mon Sep 17 00:00:00 2001 |
2 | From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com> | |
3 | Date: Tue, 26 Feb 2019 10:09:34 +0530 | |
4 | Subject: powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area | |
5 | callback | |
6 | ||
7 | [ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ] | |
8 | ||
9 | After we ALIGN up the address we need to make sure we didn't overflow | |
10 | and resulted in zero address. In that case, we need to make sure that | |
11 | the returned address is greater than mmap_min_addr. | |
12 | ||
13 | This fixes selftest va_128TBswitch --run-hugetlb reporting failures when | |
14 | run as non root user for | |
15 | ||
16 | mmap(-1, MAP_HUGETLB) | |
17 | ||
18 | The bug is that a non-root user requesting address -1 will be given address 0 | |
19 | which will then fail, whereas they should have been given something else that | |
20 | would have succeeded. | |
21 | ||
22 | We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address | |
23 | with this change. So we think this is not a security issue, because it only affects | |
24 | whether we choose an address below mmap_min_addr, not whether we | |
25 | actually allow that address to be mapped. ie. there are existing capability | |
26 | checks to prevent a user mapping below mmap_min_addr and those will still be | |
27 | honoured even without this fix. | |
28 | ||
29 | Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb") | |
30 | Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com> | |
31 | Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> | |
32 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> | |
33 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
34 | --- | |
35 | arch/powerpc/mm/hugetlbpage-radix.c | 5 +++-- | |
36 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
37 | ||
38 | diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c | |
39 | index 2486bee0f93e..97c7a39ebc00 100644 | |
40 | --- a/arch/powerpc/mm/hugetlbpage-radix.c | |
41 | +++ b/arch/powerpc/mm/hugetlbpage-radix.c | |
42 | @@ -1,6 +1,7 @@ | |
43 | // SPDX-License-Identifier: GPL-2.0 | |
44 | #include <linux/mm.h> | |
45 | #include <linux/hugetlb.h> | |
46 | +#include <linux/security.h> | |
47 | #include <asm/pgtable.h> | |
48 | #include <asm/pgalloc.h> | |
49 | #include <asm/cacheflush.h> | |
50 | @@ -73,7 +74,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, | |
51 | if (addr) { | |
52 | addr = ALIGN(addr, huge_page_size(h)); | |
53 | vma = find_vma(mm, addr); | |
54 | - if (high_limit - len >= addr && | |
55 | + if (high_limit - len >= addr && addr >= mmap_min_addr && | |
56 | (!vma || addr + len <= vm_start_gap(vma))) | |
57 | return addr; | |
58 | } | |
59 | @@ -83,7 +84,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, | |
60 | */ | |
61 | info.flags = VM_UNMAPPED_AREA_TOPDOWN; | |
62 | info.length = len; | |
63 | - info.low_limit = PAGE_SIZE; | |
64 | + info.low_limit = max(PAGE_SIZE, mmap_min_addr); | |
65 | info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW); | |
66 | info.align_mask = PAGE_MASK & ~huge_page_mask(h); | |
67 | info.align_offset = 0; | |
68 | -- | |
69 | 2.19.1 | |
70 |