summaryrefslogtreecommitdiff
authorDavidlohr Bueso <dave@stgolabs.net>2017-03-12 08:18:26 (GMT)
committer android-build-merger <android-build-merger@google.com>2017-03-12 08:18:26 (GMT)
commit78b2dcc0df31d270d73a02ed28f3b2754880f8c7 (patch)
tree3330902e01c7138714b7a3ea0c81a0d4c421355b
parent6d8a3f1ca1e7f7e4b7bf081e94722ed82499c985 (diff)
parent270e84a1e6effd6c0c6e9b13b196b5fdaa392954 (diff)
downloadcommon-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.zip
common-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.tar.gz
common-78b2dcc0df31d270d73a02ed28f3b2754880f8c7.tar.bz2
ipc/shm: Fix shmat mmap nil-page protection
am: 270e84a1e6 Change-Id: Ibcc5e2d46f533a60c0d1cabb24c42e2c72e5a24a
Diffstat
-rw-r--r--ipc/shm.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index dbac886..e2072ae 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1085,8 +1085,8 @@ out_unlock1:
* "raddr" thing points to kernel space, and there has to be a wrapper around
* this.
*/
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- unsigned long shmlba)
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
+ ulong *raddr, unsigned long shmlba)
{
struct shmid_kernel *shp;
unsigned long addr;
@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (shmlba - 1)) {
- if (shmflg & SHM_RND)
- addr &= ~(shmlba - 1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= shmlba)
+ addr &= ~(shmlba - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)
generated by cgit at 2024-05-18 15:16:59 (GMT)