[PATCH] hugetlbfs vm_pgoff bugs

1. hugetlbfs_file_mmap() must check that vm_pgoff is hugepage aligned. 2. hugetlb_vmtruncate_list() confuses << with >> while converting vm_pgoff to huge page offset, and zaps wrong area. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] hugetlbfs vm_pgoff bugs
1. hugetlbfs_file_mmap() must check that vm_pgoff is hugepage aligned. 2. hugetlb_vmtruncate_list() confuses << with >> while converting vm_pgoff to huge page offset, and zaps wrong area. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
fdd1ec13 · Oleg Nesterov · Linus Torvalds · 5fcadd1e · fdd1ec13
Commit fdd1ec13 authored Jul 28, 2004 by Oleg Nesterov Committed by Linus Torvalds Jul 28, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

fs/hugetlbfs/inode.c fs/hugetlbfs/inode.c +6 -3

No files found.
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -52,6 +52,9 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 	loff_t len, vma_len;
 	int ret;
+	if (vma->vm_pgoff & (HPAGE_SIZE / PAGE_SIZE - 1))
+		return -EINVAL;
 	if (vma->vm_start & ~HPAGE_MASK)
 		return -EINVAL;
@@ -278,16 +281,16 @@ hugetlb_vmtruncate_list(struct prio_tree_root *root, unsigned long h_pgoff)
 		unsigned long v_length;
 		unsigned long v_offset;
-		h_vm_pgoff = vma->vm_pgoff << (HPAGE_SHIFT - PAGE_SHIFT);
+		h_vm_pgoff = vma->vm_pgoff >> (HPAGE_SHIFT - PAGE_SHIFT);
-		v_length = vma->vm_end - vma->vm_start;
 		v_offset = (h_pgoff - h_vm_pgoff) << HPAGE_SHIFT;
 		/*
 		 * Is this VMA fully outside the truncation point?
 		 */
 		if (h_vm_pgoff >= h_pgoff)
 			v_offset = 0;
+		v_length = vma->vm_end - vma->vm_start;
 		zap_hugepage_range(vma,
 				vma->vm_start + v_offset,
 				v_length - v_offset);