[RFC,4/6] sh/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

Commit Message

Liam R. Howlett Dec. 6, 2021, 3:02 p.m. UTC

arch_get_unmapped_area() and arch_get_unmapped_area_topdown() could
potentially allow a larger than possible length when using the MAP_FIXED
flag.  The bound check should come before the check for MAP_FIXED.

Fixes: 2cd841c0b3a8 (v2.4.9.5 -> v2.4.9.6)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/sh/mm/mmap.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Patch

diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
index 6a1a1297baae..3d46c475198d 100644
--- a/arch/sh/mm/mmap.c
+++ b/arch/sh/mm/mmap.c
@@ -39,6 +39,9 @@  unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -49,9 +52,6 @@  unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;
@@ -88,6 +88,9 @@  arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -98,9 +101,6 @@  arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;