UBUNTU: Ubuntu-raspi2-4.10.0-1000.1

[mirror_ubuntu-zesty-kernel.git] / mm / mmap.c

diff --git a/mm/mmap.c b/mm/mmap.c
index 4acc20fc5c81b5fee95ef82872c672e72d613ce6..09c728a1eeee248b3af92f401db9c3b037f64570 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1813,7 +1813,8 @@ check_current:
                /* Check if current node has a suitable gap */
                if (gap_start > high_limit)
                        return -ENOMEM;
-               if (gap_end >= low_limit && gap_end - gap_start >= length)
+               if (gap_end >= low_limit &&
+                   gap_end > gap_start && gap_end - gap_start >= length)
                        goto found;
 
                /* Visit right subtree if it looks promising */
@@ -1916,7 +1917,8 @@ check_current:
                gap_end = vm_start_gap(vma);
                if (gap_end < low_limit)
                        return -ENOMEM;
-               if (gap_start <= high_limit && gap_end - gap_start >= length)
+               if (gap_start <= high_limit &&
+                   gap_end > gap_start && gap_end - gap_start >= length)
                        goto found;
 
                /* Visit left subtree if it looks promising */
@@ -2224,18 +2226,22 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
        if (!(vma->vm_flags & VM_GROWSUP))
                return -EFAULT;
 
-       /* Guard against wrapping around to address 0. */
+       /* Guard against exceeding limits of the address space. */
        address &= PAGE_MASK;
-       address += PAGE_SIZE;
-       if (!address)
+       if (address >= TASK_SIZE)
                return -ENOMEM;
+       address += PAGE_SIZE;
 
        /* Enforce stack_guard_gap */
        gap_addr = address + stack_guard_gap;
-       if (gap_addr < address)
-               return -ENOMEM;
+
+       /* Guard against overflow */
+       if (gap_addr < address || gap_addr > TASK_SIZE)
+               gap_addr = TASK_SIZE;
+
        next = vma->vm_next;
-       if (next && next->vm_start < gap_addr) {
+       if (next && next->vm_start < gap_addr &&
+                       (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
                if (!(next->vm_flags & VM_GROWSUP))
                        return -ENOMEM;
                /* Check that both stack segments have the same anon_vma? */
@@ -2306,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma,
 {
        struct mm_struct *mm = vma->vm_mm;
        struct vm_area_struct *prev;
-       unsigned long gap_addr;
        int error;
 
        address &= PAGE_MASK;
@@ -2315,14 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma,
                return error;
 
        /* Enforce stack_guard_gap */
-       gap_addr = address - stack_guard_gap;
-       if (gap_addr > address)
-               return -ENOMEM;
        prev = vma->vm_prev;
-       if (prev && prev->vm_end > gap_addr) {
-               if (!(prev->vm_flags & VM_GROWSDOWN))
+       /* Check that both stack segments have the same anon_vma? */
+       if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
+                       (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
+               if (address - prev->vm_end < stack_guard_gap)
                        return -ENOMEM;
-               /* Check that both stack segments have the same anon_vma? */
        }
 
        /* We must make sure the anon_vma is allocated. */