diff options
author | Davidlohr Bueso <dave@stgolabs.net> | 2017-03-12 08:18:26 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-03-12 08:18:26 +0000 |
commit | 78b2dcc0df31d270d73a02ed28f3b2754880f8c7 (patch) | |
tree | 3330902e01c7138714b7a3ea0c81a0d4c421355b /ipc | |
parent | 6d8a3f1ca1e7f7e4b7bf081e94722ed82499c985 (diff) | |
parent | 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 (diff) |
ipc/shm: Fix shmat mmap nil-page protection
am: 270e84a1e6
Change-Id: Ibcc5e2d46f533a60c0d1cabb24c42e2c72e5a24a
Diffstat (limited to 'ipc')
-rw-r--r-- | ipc/shm.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/ipc/shm.c b/ipc/shm.c index dbac8860c721..e2072ae4f90e 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1085,8 +1085,8 @@ out_unlock1: * "raddr" thing points to kernel space, and there has to be a wrapper around * this. */ -long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, - unsigned long shmlba) +long do_shmat(int shmid, char __user *shmaddr, int shmflg, + ulong *raddr, unsigned long shmlba) { struct shmid_kernel *shp; unsigned long addr; @@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr, goto out; else if ((addr = (ulong)shmaddr)) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) - addr &= ~(shmlba - 1); /* round down */ + /* + * Round down to the nearest multiple of shmlba. + * For sane do_mmap_pgoff() parameters, avoid + * round downs that trigger nil-page and MAP_FIXED. + */ + if ((shmflg & SHM_RND) && addr >= shmlba) + addr &= ~(shmlba - 1); else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) |