| Message ID | 20240325153313.526888-4-iii@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | linux-user: Fix shmat(NULL) for h != g | expand |
On 3/25/24 05:07, Ilya Leoshkevich wrote: > In the h != g && shmaddr == NULL && !reserved_va case, target_shmat() > incorrectly mmap()s the initial anonymous range with > MAP_FIXED_NOREPLACE, even though the earlier mmap_find_vma() has > already reserved the respective address range. > > Fix by using MAP_FIXED when "mapped", which is set after > mmap_find_vma(), is true. > > Fixes: 78bc8ed9a8f0 ("linux-user: Rewrite target_shmat") > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> > --- > linux-user/mmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
diff --git a/linux-user/mmap.c b/linux-user/mmap.c index e88faf1ab3d..681b6db1b67 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -1358,7 +1358,7 @@ abi_ulong target_shmat(CPUArchState *cpu_env, int shmid, if (h_len != t_len) { int mmap_p = PROT_READ | (shmflg & SHM_RDONLY ? 0 : PROT_WRITE); int mmap_f = MAP_PRIVATE | MAP_ANONYMOUS - | (reserved_va || (shmflg & SHM_REMAP) + | (reserved_va || mapped || (shmflg & SHM_REMAP) ? MAP_FIXED : MAP_FIXED_NOREPLACE); test = mmap(want, m_len, mmap_p, mmap_f, -1, 0);
In the h != g && shmaddr == NULL && !reserved_va case, target_shmat() incorrectly mmap()s the initial anonymous range with MAP_FIXED_NOREPLACE, even though the earlier mmap_find_vma() has already reserved the respective address range. Fix by using MAP_FIXED when "mapped", which is set after mmap_find_vma(), is true. Fixes: 78bc8ed9a8f0 ("linux-user: Rewrite target_shmat") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> --- linux-user/mmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)