From patchwork Thu May  3 20:49:34 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Davidlohr Bueso <dave@stgolabs.net>
X-Patchwork-Id: 10379259
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	977AD60541 for <patchwork-linux-mm@patchwork.kernel.org>;
	Thu,  3 May 2018 21:04:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85924291D7
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Thu,  3 May 2018 21:04:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7A8E3292A0; Thu,  3 May 2018 21:04:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 08CED2929C
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Thu,  3 May 2018 21:04:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C5EC16B0006; Thu,  3 May 2018 17:04:05 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C0C7E6B0009; Thu,  3 May 2018 17:04:05 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AAD5D6B000A; Thu,  3 May 2018 17:04:05 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf0-f198.google.com (mail-pf0-f198.google.com
	[209.85.192.198])
	by kanga.kvack.org (Postfix) with ESMTP id 685DB6B0006
	for <linux-mm@kvack.org>; Thu,  3 May 2018 17:04:05 -0400 (EDT)
Received: by mail-pf0-f198.google.com with SMTP id z5so4428858pfz.6
	for <linux-mm@kvack.org>; Thu, 03 May 2018 14:04:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-original-authentication-results:x-gm-message-state:date:from:to
	:cc:subject:message-id:mail-followup-to:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=T9/KLpfNlXTBJuGBs6mlnndbmTLZ/eYl0RbCd4XdAQE=;
	b=IoSjjLY6eC92cKsZ/kU/TAVtPXHI9hh4536BYnhOtZ2XTZ8Uo2iHInjc4DazqhPmQv
	2qVhCZ5pWwtV+rtzLyvH8iqcTiUF3Ng0/7jLAIbiK/WEqy4NQplEm9fGx6sF7si4g6UO
	ltcHfswYB+skqy811BzJ7EWWij8IFA0KalvOmMNjlGGJT1L3RsWixUeW66SaL9s8QlRm
	NSjbUjzid2DUdMosNU/Pu3VhXzaAwosHRQa4nwUrZXbQORvs2r31VQ6J2hdbM0cA0erU
	0Ea4yaZOzS5JRiW34INBu/4MIJbAG9mwN73DNJWGfgBFJmqKxULgOEM6FeR/2C6y4bXR
	SQ9w==
X-Original-Authentication-Results: mx.google.com;
	spf=softfail (google.com: domain of
	transitioning dave@stgolabs.net does not designate
	195.135.220.15 as permitted sender)
	smtp.mailfrom=dave@stgolabs.net
X-Gm-Message-State: ALQs6tCKk5F29INfzrPhW926UC6GnLnh7yYRCGRFhcHkPcJ3y1L/4Bfz
	r3zsiGpzjTRTjqTL9YLh4vDK2IxJSgCxn7XL7tWQYRf7OKjSfUwLVcvqWHXc9D/vNm+um+LFY2G
	0qQHJvpnsi5Brck1HsCxRd21jSrWd3zpylLVOAhPFQCIHuSVOSP1Nm1ubS7xyzhs=
X-Received: by 10.98.7.140 with SMTP id 12mr13037509pfh.178.1525381445085;
	Thu, 03 May 2018 14:04:05 -0700 (PDT)
X-Google-Smtp-Source: 
 AB8JxZr4zd+jqN0GmFdq9cSfNGhIpXDE9Lcpvw6j52l2NFUJyjlYQxroZXPYi1EoeJpK3xjM5lfv
X-Received: by 10.98.7.140 with SMTP id 12mr13037483pfh.178.1525381444423;
	Thu, 03 May 2018 14:04:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525381444; cv=none;
	d=google.com; s=arc-20160816;
	b=jS/9aVBfR/f064YKNVP9yFIpFT3PpncqMM31w6NOdBjgXP+N6xzXRPZzfbCFFOQIyU
	qebl6t7rwBA8W+jCSzzvuiVD75J8YsOipwQBDeFpVlSdyargwNNfa1WkYprrECBKq41O
	Rc7Nc/ltnTHlDUDS+xGjwf7Dg39nmrt7zSxKBdeLD+U/aYv0G0rvwFh0uNkGESjrwkzB
	BMDegNF7UIpdREvUMcVEZANJF9K2YjCXG255aTGIqWW/fBeI+BC8erM8n+YN8147n+sh
	uvLd+vIqCZkuKhlOmJi6VxnCqeFaAR0Y0EGWkxOtSCxa4etC+C1nLfkdjTHhzAD6CMJK
	buxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=user-agent:in-reply-to:content-disposition:mime-version:references
	:mail-followup-to:message-id:subject:cc:to:from:date
	:arc-authentication-results;
	bh=T9/KLpfNlXTBJuGBs6mlnndbmTLZ/eYl0RbCd4XdAQE=;
	b=sRjV13+sxBqGSLpP5W+ADlNFMweb6rIE2LdmTkntp6vsAFtdXSiqy/WREpgnXi66Hh
	DG/XURWya04yG4+iUivz5EgPEN6+Y47L19SnXERQfQS8+1NrBU9AnUeU5R8qhpWqDHPP
	W7tQyfpm/ECDTfnGF2XQUKIgaFECVzHbXO8rNAzzWkl7M+K8/iuUj1karN2rezcjFupx
	gHK72UWKymRdhPWN/fPygX0jeo6Nen0HAYTMN+edGXspsmXbit8PZJ7st7uRiOnz/KB4
	WkkINMHL3wzyT3XHYT0gEbVCXyY8+MMtZC7gIgotxV7wQ31fUcWzQwT3OeB/8pWFe6M1
	EWlQ==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=softfail (google.com: domain of transitioning dave@stgolabs.net
	does not designate 195.135.220.15 as permitted sender)
	smtp.mailfrom=dave@stgolabs.net
Received: from mx2.suse.de (mx2.suse.de. [195.135.220.15])
	by mx.google.com with ESMTPS id
	s1-v6si6424461plr.332.2018.05.03.14.04.04 for <linux-mm@kvack.org>
	(version=TLS1 cipher=AES128-SHA bits=128/128);
	Thu, 03 May 2018 14:04:04 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
	dave@stgolabs.net does not designate 195.135.220.15 as
	permitted sender) client-ip=195.135.220.15;
Authentication-Results: mx.google.com;
	spf=softfail (google.com: domain of transitioning dave@stgolabs.net
	does not designate 195.135.220.15 as permitted sender)
	smtp.mailfrom=dave@stgolabs.net
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id C5342AF2C;
	Thu,  3 May 2018 21:04:00 +0000 (UTC)
Date: Thu, 3 May 2018 13:49:34 -0700
From: Davidlohr Bueso <dave@stgolabs.net>
To: akpm@linux-foundation.org, aarcange@redhat.com
Cc: joe.lawrence@redhat.com, gareth.evans@contextis.co.uk,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org, stable@kernel.org,
	dave@stgolabs.net
Subject: [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when
	remapping
Message-ID: <20180503204934.kk63josdu6u53fbd@linux-n805>
Mail-Followup-To: akpm@linux-foundation.org, aarcange@redhat.com,
	joe.lawrence@redhat.com, gareth.evans@contextis.co.uk,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org, stable@kernel.org
References: <20180503203243.15045-1-dave@stgolabs.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20180503203243.15045-1-dave@stgolabs.net>
User-Agent: NeoMutt/20170421 (1.8.2)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

shmat()'s SHM_REMAP option forbids passing a nil address for; this
is in fact the very first thing we check for. Andrea reported that
for SHM_RND|SHM_REMAP cases we can end up bypassing the initial
addr check, but we need to check again if the address was rounded
down to nil. As of this patch, such cases will return -EINVAL.

Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/shm.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index b81d53c8f459..29978ee76c2e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1371,9 +1371,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 
 	if (addr) {
 		if (addr & (shmlba - 1)) {
-			if (shmflg & SHM_RND)
+			if (shmflg & SHM_RND) {
 				addr &= ~(shmlba - 1);  /* round down */
-			else
+
+				/*
+				 * Ensure that the round-down is non-nil
+				 * when remapping. This can happen for
+				 * cases when addr < shmlba.
+				 */
+				if (!addr && (shmflg & SHM_REMAP))
+					goto out;
+			} else
 #ifndef __ARCH_FORCE_SHMLBA
 				if (addr & ~PAGE_MASK)
 #endif