Commit a626ca6a authored Apr 13, 2011 by Linus Torvalds

vm: fix vm_pgoff wrap in stack expansion



Commit 982134ba ("mm: avoid wrapping vm_pgoff in mremap()") fixed
the case of a expanding mapping causing vm_pgoff wrapping when you used
mremap.  But there was another case where we expand mappings hiding in
plain sight: the automatic stack expansion.

This fixes that case too.

This one also found by Robert Święcki, using his nasty system call
fuzzer tool.  Good job.

Reported-and-tested-by: Robert Święcki <robert@swiecki.net>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 60d48c1e

mm/mmap.c

+8 −5

Original line number	Diff line number	Diff line
		@@ -1814,6 +1814,8 @@ static int expand_downwards(struct vm_area_struct *vma,
		size = vma->vm_end - address;
		grow = (vma->vm_start - address) >> PAGE_SHIFT;

		error = -ENOMEM;
		if (grow <= vma->vm_pgoff) {
		error = acct_stack_growth(vma, size, grow);
		if (!error) {
		vma->vm_start = address;
		@@ -1821,6 +1823,7 @@ static int expand_downwards(struct vm_area_struct *vma,
		perf_event_mmap(vma);
		}
		}
		}
		vma_unlock_anon_vma(vma);
		khugepaged_enter_vma_merge(vma);
		return error;