From patchwork Tue Nov  5 16:22:10 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ming Lei <tom.leiming@gmail.com>
X-Patchwork-Id: 3142541
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 4D31FBEEB2
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  5 Nov 2013 16:23:29 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id ECBD6205AB
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  5 Nov 2013 16:23:27 +0000 (UTC)
Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 1BE79203E9
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  5 Nov 2013 16:23:23 +0000 (UTC)
Received: from merlin.infradead.org ([2001:4978:20e::2])
	by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1VdjPM-0003VU-BC; Tue, 05 Nov 2013 16:23:12 +0000
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1VdjPJ-0006sC-R4; Tue, 05 Nov 2013 16:23:09 +0000
Received: from mail-pd0-f179.google.com ([209.85.192.179])
	by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1VdjPF-0006ro-K5 for linux-arm-kernel@lists.infradead.org;
	Tue, 05 Nov 2013 16:23:06 +0000
Received: by mail-pd0-f179.google.com with SMTP id y10so8792355pdj.10
	for <linux-arm-kernel@lists.infradead.org>;
	Tue, 05 Nov 2013 08:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=gSJ0pAS3Tp58vNv/PO/TOV5KfAmOk8SnyufVWh2XICE=;
	b=AQ2BCvGYyC81qzoLaSz1gypq3x2SKss2KSigAcQl3DbOivuRsOBdXAHYqgEWM9xuX6
	R7SYiSb+reyI4Uzjw3GnD0Zr45TXRjLPvrPcJQ2VQlLYQXDlXir/Lu6z0GASAtB8IB+g
	bn/QQZhIgEeYnFepIls37W89eZQDZdt6FtDwBbaFt10ZlfcxdgipIHXXzViZjaFhi4+Y
	AnJ7BS0zO6WXPAnuIDgapS1MnIx2y/9gdQXvELf/rG8siyNf81RQnT/1cWyO6ThUfxZb
	8xdu+peruz1NXm0tDt9o1E3mHC+uaIeSGKKDH65NiUZmXSHSRPq8Pxe1FUTssQJeXP7Q
	3YWg==
X-Received: by 10.66.27.4 with SMTP id p4mr24133382pag.25.1383668558194;
	Tue, 05 Nov 2013 08:22:38 -0800 (PST)
Received: from localhost ([14.155.221.171]) by mx.google.com with ESMTPSA id
	rp8sm35506257pbc.25.2013.11.05.08.22.28 for <multiple recipients>
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Tue, 05 Nov 2013 08:22:37 -0800 (PST)
From: Ming Lei <tom.leiming@gmail.com>
To: Russell King <linux@arm.linux.org.uk>,
	linux-arm-kernel@lists.infradead.org
Subject: [PATCH] ARM: mm: Ensure get_unmapped_area() returns higher address
	than mmap_min_addr
Date: Wed,  6 Nov 2013 00:22:10 +0800
Message-Id: <1383668531-24648-1-git-send-email-tom.leiming@gmail.com>
X-Mailer: git-send-email 1.7.9.5
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20131105_112305_782350_C4DCBFDD 
X-CRM114-Status: GOOD (  14.25  )
X-Spam-Score: -2.0 (--)
Cc: Ming Lei <ming.lei@canonical.com>,
	Kiyoshi Owada <owada.kiyoshi@jp.panasonic.com>,
	Andrew Morton <akpm@linux-foundation.org>, stable@vger.kernel.org,
	Akira Takeuchi <takeuchi.akr@jp.panasonic.com>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD,
	T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ming Lei <ming.lei@canonical.com>

This patch is the arm version of below patch, which is already in
-mm tree:

	http://marc.info/?t=138251444500006&r=1&w=2

Without this patch, the below syscall may return failure when
'/proc/sys/vm/mmap_min_addr' is set 32768:

	mmap(0, size, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);

but actually there is surely enough VM space for current task, for
example arch_get_unmapped_area() may return 0x7000, but which can't
pass security check, so finally -EPERM is returned to the caller, and
cause bug from user space's view.

Cc: <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Akira Takeuchi <takeuchi.akr@jp.panasonic.com>
Cc: Kiyoshi Owada <owada.kiyoshi@jp.panasonic.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
---
 arch/arm/mm/mmap.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index d27158c..c2fbb91 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -9,6 +9,7 @@
 #include <linux/io.h>
 #include <linux/personality.h>
 #include <linux/random.h>
+#include <linux/security.h>
 #include <asm/cachetype.h>
 
 #define COLOUR_ALIGN(addr,pgoff)		\
@@ -78,7 +79,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (len > TASK_SIZE)
+	if (len > TASK_SIZE - mmap_min_addr)
 		return -ENOMEM;
 
 	if (addr) {
@@ -88,14 +89,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 			addr = PAGE_ALIGN(addr);
 
 		vma = find_vma(mm, addr);
-		if (TASK_SIZE - len >= addr &&
+		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
 		    (!vma || addr + len <= vma->vm_start))
 			return addr;
 	}
 
 	info.flags = 0;
 	info.length = len;
-	info.low_limit = mm->mmap_base;
+	info.low_limit = max(mm->mmap_base, mmap_min_addr);
 	info.high_limit = TASK_SIZE;
 	info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
 	info.align_offset = pgoff << PAGE_SHIFT;
@@ -122,7 +123,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		do_align = filp || (flags & MAP_SHARED);
 
 	/* requested length too big for entire address space */
-	if (len > TASK_SIZE)
+	if (len > TASK_SIZE - mmap_min_addr)
 		return -ENOMEM;
 
 	if (flags & MAP_FIXED) {
@@ -139,14 +140,14 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		else
 			addr = PAGE_ALIGN(addr);
 		vma = find_vma(mm, addr);
-		if (TASK_SIZE - len >= addr &&
+		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
 				(!vma || addr + len <= vma->vm_start))
 			return addr;
 	}
 
 	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
 	info.length = len;
-	info.low_limit = PAGE_SIZE;
+	info.low_limit = max(PAGE_SIZE, mmap_min_addr);
 	info.high_limit = mm->mmap_base;
 	info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
 	info.align_offset = pgoff << PAGE_SHIFT;
@@ -161,7 +162,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	if (addr & ~PAGE_MASK) {
 		VM_BUG_ON(addr != -ENOMEM);
 		info.flags = 0;
-		info.low_limit = mm->mmap_base;
+		info.low_limit = max(mm->mmap_base, mmap_min_addr);
 		info.high_limit = TASK_SIZE;
 		addr = vm_unmapped_area(&info);
 	}