RE: [PATCH] overflow check calculation in mm/mmap.c is incorrect linux-3.12.38

From: Reese Faucette
Date: Wed May 13 2015 - 12:59:03 EST

Next message: Andrew Bresticker: "Re: [PATCH v8 4/9] mfd: Add binding document for NVIDIA Tegra XUSB"
Previous message: Guenter Roeck: "Re: [PATCH 1/1] OpenRISC: Fix kernel build problem on OpenRISC"
In reply to: Rasmus Villemoes: "Re: [PATCH] overflow check calculation in mm/mmap.c is incorrect linux-3.12.38"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rasmus-
I think you're right - I was not paying close enough attention. In this
case, I think the real culprit appears to be something like libc incorrectly
sign-extending the mmap() offset argument. Calling mmap() with an offset of
0xf80000000 is resulting in a pg_off of 0xffff8000 when the syscall wrappers
convert the mmap() call to mmap_pgoff(). This is on MIPS linux - I'll dig
further on the user side to see why the offset is being sign extended. The
proper casts *seem* to be in place in libc, but its plainly not doing what
it's supposed to.
-reese

> -----Original Message-----
> From: Rasmus Villemoes [mailto:linux@xxxxxxxxxxxxxxxxxx]
> Sent: Friday, May 08, 2015 2:46 AM
> To: Reese Faucette
> Cc: linux-kernel@xxxxxxxxxxxxxxx; alan@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [PATCH] overflow check calculation in mm/mmap.c is incorrect
> linux-3.12.38
>
> On Thu, Apr 30 2015, "Reese Faucette" <reesefaucette@xxxxxxxxx> wrote:
>
> > When checking for overflow, the code in mm/mmap.c compares the first
> > byte
> > *after* the end of mapped region to the start of the region instead of
> > the last byte of the mapped region. This prevents mapping a region
> > which abuts the end of physical space, as mmap() incorrectly rejects
> > the region with -EOVERFLOW, because pgoff + (len >> PAGE_SHIFT) will
> > be 0, which is < pgoff.
>
> Note this comment elsewhere in mmap.c:
>
> * We don't check here for the merged mmap wrapping around the end of
> pagecache
> * indices (16TB on ia32) because do_mmap_pgoff() does not permit mmap's
> which
> * wrap, nor mmaps which cover the final page at index -1UL.
>
> So it seems to be by design.
>
> But I'm also a little confused, since pgoff should be in units of pages
(so a
> 20 bit number on 32bit), and I can't see how adding another 20 bit number
> could ever make that overflow. Unless of course some magic power ensures
> that pgoffs in the high half get sign-extended.
>
> Rasmus

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Bresticker: "Re: [PATCH v8 4/9] mfd: Add binding document for NVIDIA Tegra XUSB"
Previous message: Guenter Roeck: "Re: [PATCH 1/1] OpenRISC: Fix kernel build problem on OpenRISC"
In reply to: Rasmus Villemoes: "Re: [PATCH] overflow check calculation in mm/mmap.c is incorrect linux-3.12.38"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]