UPSTREAM: hugetlbfs: check for pgoff value overflow
A vma with vm_pgoff large enough to overflow a loff_t type when
converted to a byte offset can be passed via the remap_file_pages system
call. The hugetlbfs mmap routine uses the byte offset to calculate
reservations and file size.
A sequence such as:
mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);
will result in the following when task exits/file closed,
kernel BUG at mm/hugetlb.c:749!
The overflowed pgoff value causes hugetlbfs to try to set up a mapping
with a negative range (end < start) that leaves invalid state which
causes the BUG.
The previous overflow fix to this code was incomplete and did not take
the remap_file_pages system call into account.
[email@example.com: include mmdebug.h]
[firstname.lastname@example.org: fix -ve left shift count on sh]
Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
Signed-off-by: Mike Kravetz <email@example.com>
Reported-by: Nic Losby <firstname.lastname@example.org>
Acked-by: Michal Hocko <email@example.com>
Cc: "Kirill A . Shutemov" <firstname.lastname@example.org>
Cc: Yisheng Xie <email@example.com>
Signed-off-by: Andrew Morton <firstname.lastname@example.org>
Signed-off-by: Linus Torvalds <email@example.com>
TEST=Build and boot
Signed-off-by: Guenter Roeck <firstname.lastname@example.org>
(cherry picked from commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7)
Reviewed-by: Zubin Mithra <email@example.com>
Reviewed-by: Dylan Reid <firstname.lastname@example.org>
(cherry picked from commit 9294844fcb72f28f468c39452e2bc14b5839d92b)
2 files changed