Re: [PATCH] mm: don't clobber partially overlapping VMA with MAP_FIXED_NOREPLACE
From: Michal Hocko
Date: Wed Oct 10 2018 - 13:39:02 EST
On Wed 10-10-18 19:26:50, Jann Horn wrote:
[...]
> As you can see, the first page of the mapping at 0x10001000 was clobbered.
>
> > > diff --git a/mm/mmap.c b/mm/mmap.c
> > > index 5f2b2b184c60..f7cd9cb966c0 100644
> > > --- a/mm/mmap.c
> > > +++ b/mm/mmap.c
> > > @@ -1410,7 +1410,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
> > > if (flags & MAP_FIXED_NOREPLACE) {
> > > struct vm_area_struct *vma = find_vma(mm, addr);
> > >
> > > - if (vma && vma->vm_start <= addr)
> > > + if (vma && vma->vm_start < addr + len)
> >
> > find_vma is documented to - Look up the first VMA which satisfies addr <
> > vm_end, NULL if none.
> > This means that the above check guanratees that
> > vm_start <= addr < vm_end
> > so an overlap is guanrateed. Why should we care how much we overlap?
>
> "an overlap is guaranteed"? I have no idea what you're trying to say.
I have misread your changelog and the patch. Sorry about that. I thought
you meant a false possitive but you in fact meant false negative. Now it
makes complete sense.
Acked-by: Michal Hocko <mhocko@xxxxxxxx>
And thanks a lot for catching that!
--
Michal Hocko
SUSE Labs