author | Davidlohr Bueso <dave@stgolabs.net> | 2017-03-12 08:18:26 (GMT) |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-03-12 08:18:26 (GMT) |
commit | 78b2dcc0df31d270d73a02ed28f3b2754880f8c7 (patch) | |
tree | 3330902e01c7138714b7a3ea0c81a0d4c421355b | |
parent | 6d8a3f1ca1e7f7e4b7bf081e94722ed82499c985 (diff) | |
parent | 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 (diff) | |
download | common-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.zip common-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.tar.gz common-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.tar.bz2 |
ipc/shm: Fix shmat mmap nil-page protection
am: 270e84a1e6
Change-Id: Ibcc5e2d46f533a60c0d1cabb24c42e2c72e5a24a
-rw-r--r-- | ipc/shm.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -1085,8 +1085,8 @@ out_unlock1: * "raddr" thing points to kernel space, and there has to be a wrapper around * this. */ -long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, - unsigned long shmlba) +long do_shmat(int shmid, char __user *shmaddr, int shmflg, + ulong *raddr, unsigned long shmlba) { struct shmid_kernel *shp; unsigned long addr; @@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, goto out; else if ((addr = (ulong)shmaddr)) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) - addr &= ~(shmlba - 1); /* round down */ + /* + * Round down to the nearest multiple of shmlba. + * For sane do_mmap_pgoff() parameters, avoid + * round downs that trigger nil-page and MAP_FIXED. + */ + if ((shmflg & SHM_RND) && addr >= shmlba) + addr &= ~(shmlba - 1); else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) |