diff options
| author | Reese Faucette <reesefaucette@gmail.com> | 2015-05-14 01:01:38 +0000 |
|---|---|---|
| committer | Johannes Weiner <hannes@cmpxchg.org> | 2015-05-14 01:01:38 +0000 |
| commit | 03c0891769ad5976dbe031df46c0728db6156ecb (patch) | |
| tree | aeeabe35adf26cd763815bfaf9abbda0def4be4a | |
| parent | 351983c6dfa9b5bf2d90baea5f28c8e726ae69ed (diff) | |
| download | mm-next-03c0891769ad5976dbe031df46c0728db6156ecb.tar.gz | |
mm/mmap.c: fix off-by-one in mmap overflow check
When checking for overflow, the code in mm/mmap.c compares the first byte
*after* the end of mapped region to the start of the region instead of the
last byte of the mapped region.
This prevents mapping a region which abuts the end of physical space, as
mmap() incorrectly rejects the region with -EOVERFLOW, because pgoff +
(len >> PAGE_SHIFT) will be 0, which is < pgoff. -reese
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
| -rw-r--r-- | mm/mmap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/mmap.c b/mm/mmap.c index bb50cacc3ea576..9c1c5b9de59c2f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1280,7 +1280,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, return -ENOMEM; /* offset overflow? */ - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff) + if ((pgoff + (len >> PAGE_SHIFT) - 1) < pgoff) return -EOVERFLOW; /* Too many mappings? */ |