linux-stable/mm
Linus Torvalds 130d82a534 mm: avoid wrapping vm_pgoff in mremap()
commit 982134ba62 upstream.

The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow.  However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.

Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code.  A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.

Reported-and-tested-by: Robert Swiecki <robert@swiecki.net>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[wt: 2.6.27 has this code in do_mremap()]
2011-04-30 16:53:28 +02:00
..
allocpercpu.c mm/allocpercpu.c: make 4 functions static 2008-07-26 12:00:12 -07:00
backing-dev.c mm/backing-dev.c: remove recently-added WARN_ON() 2010-08-13 13:50:39 -07:00
bootmem.c bootmem: fix aligning of node-relative indexes and offsets 2008-08-20 15:40:31 -07:00
bounce.c bounce: call flush_dcache_page() after bounce_copy_vec() 2010-09-20 13:03:21 -07:00
dmapool.c dmapool: enable debugging for CONFIG_SLUB_DEBUG_ON too 2008-04-28 08:58:20 -07:00
fadvise.c System call wrapper special cases 2009-01-18 10:35:34 -08:00
filemap_xip.c mm: do_xip_mapping_read: fix length calculation 2009-05-02 10:23:59 -07:00
filemap.c do_generic_file_read: clear page errors when issuing a fresh read of the page 2010-07-05 11:08:44 -07:00
fremap.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
highmem.c highmem: Export totalhigh_pages. 2008-07-19 22:39:46 -07:00
hugetlb.c hugetlb: restore interleaving of bootmem huge pages (2.6.31) 2009-10-05 08:11:49 -07:00
internal.h mm: fix is_mem_section_removable() page_order BUG_ON check 2010-12-09 13:24:16 -08:00
Kconfig security: use mmap_min_addr indepedently of security models 2009-07-19 20:44:59 -07:00
maccess.c kgdb: fix optional arch functions and probe_kernel_* 2008-04-17 20:05:39 +02:00
madvise.c Ignore madvise(MADV_WILLNEED) for hugetlbfs-backed regions 2009-05-08 14:54:36 -07:00
Makefile mmu-notifiers: core 2008-07-28 16:30:21 -07:00
memcontrol.c mm owner: fix race between swapoff and exit 2008-09-29 08:41:47 -07:00
memory_hotplug.c mm: fix return value of scan_lru_pages in memory unplug 2010-12-09 13:24:16 -08:00
memory.c guard page for stacks that grow upwards 2010-10-28 21:04:14 -07:00
mempolicy.c numa: fix slab_node(MPOL_BIND) 2010-12-09 13:24:16 -08:00
mempool.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
migrate.c Fix potential crash with sys_move_pages 2010-04-01 15:52:15 -07:00
mincore.c System call wrappers part 14 2009-01-18 10:35:37 -08:00
mlock.c System call wrappers part 14 2009-01-18 10:35:37 -08:00
mm_init.c mm: mminit_loglevel cannot be __meminitdata anymore 2008-08-20 15:40:30 -07:00
mmap.c install_special_mapping skips security_file_mmap check. 2011-02-09 22:15:39 +01:00
mmu_notifier.c mmu-notifiers: core 2008-07-28 16:30:21 -07:00
mmzone.c mm: mark the correct zone as full when scanning zonelists 2008-09-13 14:41:52 -07:00
mprotect.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
mremap.c mm: avoid wrapping vm_pgoff in mremap() 2011-04-30 16:53:28 +02:00
msync.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
nommu.c nfsd: fix vm overcommit crash 2010-05-26 14:27:09 -07:00
oom_kill.c security: Fix setting of PF_SUPERPRIV by __capable() 2008-08-14 22:59:43 +10:00
page_alloc.c page-allocator: preserve PFN ordering when __GFP_COLD is set 2009-08-16 14:26:35 -07:00
page_io.c mm: fix PageUptodate data race 2008-02-05 09:44:19 -08:00
page_isolation.c memory hotplug: fix page_zone() calculation in test_pages_isolated() 2008-11-20 14:54:47 -08:00
page-writeback.c vfs: Remove the range_cont writeback mode. 2010-05-26 14:27:06 -07:00
pagewalk.c pagemap: pass mm into pagewalkers 2008-06-12 18:05:41 -07:00
pdflush.c pdflush: use time_after() instead of open-coding it 2008-07-25 10:53:28 -07:00
prio_tree.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
quicklist.c mm: size of quicklists shouldn't be proportional to the number of CPUs 2008-09-02 19:21:38 -07:00
readahead.c mm: readahead scan lockless 2008-07-26 12:00:06 -07:00
rmap.c anon_vma_prepare: properly lock even newly allocated entries 2008-10-25 14:32:41 -07:00
shmem_acl.c [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
shmem.c shmem: let shared anonymous be nonlinear again 2011-04-30 16:53:21 +02:00
slab.c fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b 2009-07-30 16:05:58 -07:00
slob.c fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b 2009-07-30 16:05:58 -07:00
slub.c slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU 2009-09-15 10:37:24 -07:00
sparse-vmemmap.c Christoph has moved 2008-07-04 10:40:04 -07:00
sparse.c mm/sparse.c: removed duplicated include 2008-08-12 16:07:30 -07:00
swap_state.c mm: show free swap as signed 2008-08-20 15:40:30 -07:00
swap.c mm: remove UP version of lru_add_drain_all() 2009-02-12 09:31:12 -08:00
swapfile.c System call wrappers part 26 2009-01-18 10:35:39 -08:00
thrash.c Bug in mm/thrash.c function grab_swap_token() 2007-05-11 08:29:32 -07:00
tiny-shmem.c mm: tiny-shmem nommu fix 2008-10-02 15:53:13 -07:00
truncate.c VFS: fix dio write returning EIO when try_to_release_page fails 2008-09-02 19:21:37 -07:00
util.c mm: Make generic weak get_user_pages_fast and EXPORT_GPL it 2008-08-12 17:52:53 +10:00
vmalloc.c Use WARN() in mm/vmalloc.c 2008-07-26 12:00:07 -07:00
vmscan.c mm: rename page trylock 2008-08-04 21:31:34 -07:00
vmstat.c [ARM] Skip memory holes in FLATMEM when reading /proc/pagetypeinfo 2008-08-27 20:09:28 +01:00