Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751672AbdF2XEE (ORCPT ); Thu, 29 Jun 2017 19:04:04 -0400 Received: from mail-pf0-f176.google.com ([209.85.192.176]:34095 "EHLO mail-pf0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751563AbdF2XED (ORCPT ); Thu, 29 Jun 2017 19:04:03 -0400 Date: Thu, 29 Jun 2017 16:02:56 -0700 From: =?iso-8859-1?Q?J=F6rn?= Engel To: Helge Deller , Hugh Dickins , linux-kernel@vger.kernel.org Subject: [PATCH] mm: Fix overflow check in expand_upwards() Message-ID: <20170629230256.GB494@cork> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1104 Lines: 38 I believe the overflow check was correct, then got subtly broken by commit bd726c90b6b8 Author: Helge Deller Date: Mon Jun 19 17:34:05 2017 +0200 Allow stack to grow up to address space limit The old overflow check may have been a bit subtle and I suppose Helge missed its importance. if (!address) return -ENOMEM; Functionally the my check is identical to the old one. I just hope the alternative form (and comment!) make it harder to miss and break things in a future patch. Signed-off-by: Joern Engel --- mm/mmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/mmap.c b/mm/mmap.c index a5e3dcd75e79..7366f62c31f4 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2232,7 +2232,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) /* Guard against exceeding limits of the address space. */ address &= PAGE_MASK; - if (address >= TASK_SIZE) + /* second check is for integer overflow */ + if (address >= TASK_SIZE || address + PAGE_SIZE < address) return -ENOMEM; address += PAGE_SIZE; -- 2.1.4