review.tizen.org Git - profile/mobile/platform/kernel/linux-3.10-sc7730.git/commit

author	Hugh Dickins <hughd@google.com>
	Tue, 20 Jun 2017 09:10:44 +0000 (02:10 -0700)
committer	Seung-Woo Kim <sw0312.kim@samsung.com>
	Wed, 18 Oct 2017 02:06:39 +0000 (11:06 +0900)
commit	3deea6bc806792b97eb8afd479284b3a3bcae2c4
tree	662c40e604b9960654b1dbcc4a5d0af9fd07cbde	tree \| snapshot
parent	784d4a5f6b6ff97009970e15f04f99ceab916bfb	commit \| diff

mm: fix new crash in unmapped_area_topdown()

commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.

Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
end of unmapped_area_topdown().  Linus points out how MAP_FIXED
(which does not have to respect our stack guard gap intentions)
could result in gap_end below gap_start there.  Fix that, and
the similar case in its alternative, unmapped_area().

Cc: stable@vger.kernel.org
Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2017-1000364]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Id45155ff188da963d152f71db3cc0a4399fd83a2