Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp993230yba;
        Thu, 4 Apr 2019 01:58:48 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwM7SBstfOatlskH4l4KbhRu2t3qL2RYa6uPR2IOWCZZfDdAA0LT30WpSHcKfT0QFoTJ2rC
X-Received: by 2002:a17:902:380c:: with SMTP id l12mr4946864plc.238.1554368328465;
        Thu, 04 Apr 2019 01:58:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554368328; cv=none;
        d=google.com; s=arc-20160816;
        b=PdoAr2JaQ8ST4gMFiH/oUucLY7KsulZXv7QKp3SEIbomBdccuz/NRJ0TcScq7HcxBx
         n5a1xqhqO9alfRCO3H07CE3noaA6BOln84idb1joIp8fyTyjU0uVZE7oZC3qHhM9xuCZ
         +lI+o3Yf4EyPZbsr1bmthgbtkw7Fd86StIS8sCRwmz5uu0mH1M6xt3Jg9zCjXSWizWwF
         r7ZkBwPpef6ViC53VGZDf+7DdgftUaJz3znF9cgnOLl5cFA5ReJ0piw8bC8lH0KipTta
         xMTjh0G5j5dXnLLtJWcOB8Gm1XldPqQYX17FoQg156vr9amKHd/Aki5N1E9wwx6q/Yvs
         JlZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8FBBemyrUGtX5A/Q9n0dqlV+/rvzYvM+r7P3Dp0vpdI=;
        b=Uv2Wfen91TTY6vyqSCkdc9Xd3uPAvAzq9U6HRSUTMvTxBQSAfFowrxcKH5eNkdGAeX
         kNIV7bFG1NIf8SrKi3SqokimcYV0eYKh7Lphzcv3OAjlFVbiQV0sjfHfiPO6km1c7+8W
         I7D2dAQ7GZEhndrzwD5n4jfraoPBaS8IvqwlrYYw1zQ9p3FPWLs/5SkYMZ4SpCxZ6XBR
         psRoK4YMHc/Z8lUKtohqLOH6xf8cHZGYXKVHWJQ68YZoaVa3orb4urKgJ5qDQJtcIsAi
         1QM92M73IsIYvfTHLkTBp3wW0xYiNdThq2LZKXfVPossaMkSr3vp0axPAF6PdTY1BX6i
         FdNA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VU12lp3u;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g59si16570711plb.281.2019.04.04.01.58.33;
        Thu, 04 Apr 2019 01:58:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VU12lp3u;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730450AbfDDI4S (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Thu, 4 Apr 2019 04:56:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:59468 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730436AbfDDI4M (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Apr 2019 04:56:12 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2FCB220693;
        Thu,  4 Apr 2019 08:56:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1554368171;
        bh=sl7L8ILsqxlHfyGIFJaE9lnYYFD9MTdIxzPZvBJ9amo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=VU12lp3uh/kkt4awiEiy581TLq/Mr1bYpsq/cyMlPYxOwotk4YMMcSqfL31TLWeXx
         0WBeqW5pOs8oU1tZQTjDIQAuI+o+nafxi0ACMomiBBt5W6Z7hdtA2KWWHNEHZRaLvH
         YzB24wc03iNd46g8P+iG+kpPTiNPoycgvYIyeS6Q=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Laurent Dufour <ldufour@linux.vnet.ibm.com>,
        "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 047/121] powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area callback
Date:   Thu,  4 Apr 2019 10:47:15 +0200
Message-Id: <20190404084547.818350022@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190404084545.245659903@linuxfoundation.org>
References: <20190404084545.245659903@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ]

After we ALIGN up the address we need to make sure we didn't overflow
and resulted in zero address. In that case, we need to make sure that
the returned address is greater than mmap_min_addr.

This fixes selftest va_128TBswitch --run-hugetlb reporting failures when
run as non root user for

mmap(-1, MAP_HUGETLB)

The bug is that a non-root user requesting address -1 will be given address 0
which will then fail, whereas they should have been given something else that
would have succeeded.

We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address
with this change. So we think this is not a security issue, because it only affects
whether we choose an address below mmap_min_addr, not whether we
actually allow that address to be mapped. ie. there are existing capability
checks to prevent a user mapping below mmap_min_addr and those will still be
honoured even without this fix.

Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb")
Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/hugetlbpage-radix.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c
index bd022d16745c..a31bad29b55d 100644
--- a/arch/powerpc/mm/hugetlbpage-radix.c
+++ b/arch/powerpc/mm/hugetlbpage-radix.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/mm.h>
 #include <linux/hugetlb.h>
+#include <linux/security.h>
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
 #include <asm/cacheflush.h>
@@ -79,7 +80,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
 	if (addr) {
 		addr = ALIGN(addr, huge_page_size(h));
 		vma = find_vma(mm, addr);
-		if (high_limit - len >= addr &&
+		if (high_limit - len >= addr && addr >= mmap_min_addr &&
 		    (!vma || addr + len <= vm_start_gap(vma)))
 			return addr;
 	}
@@ -89,7 +90,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
 	 */
 	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
 	info.length = len;
-	info.low_limit = PAGE_SIZE;
+	info.low_limit = max(PAGE_SIZE, mmap_min_addr);
 	info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW);
 	info.align_mask = PAGE_MASK & ~huge_page_mask(h);
 	info.align_offset = 0;
-- 
2.19.1