diff options
| author | Davidlohr Bueso <dave@stgolabs.net> | 2018-05-25 17:47:27 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-05-25 21:12:11 -0400 |
| commit | a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 (patch) | |
| tree | 3ee5977369f46e1a41fb7c8a0b8b47e525f9e4e1 /ipc | |
| parent | 7a4deea1aa8bddfed4ef1b35fc2b6732563d8ad5 (diff) | |
Revert "ipc/shm: Fix shmat mmap nil-page protection"
Patch series "ipc/shm: shmat() fixes around nil-page".
These patches fix two issues reported[1] a while back by Joe and Andrea
around how shmat(2) behaves with nil-page.
The first reverts a commit that it was incorrectly thought that mapping
nil-page (address=0) was a no no with MAP_FIXED. This is not the case,
with the exception of SHM_REMAP; which is address in the second patch.
I chose two patches because it is easier to backport and it explicitly
reverts bogus behaviour. Both patches ought to be in -stable and ltp
testcases need updated (the added testcase around the cve can be
modified to just test for SHM_RND|SHM_REMAP).
[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
This patch (of 2):
Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection")
worked on the idea that we should not be mapping as root addr=0 and
MAP_FIXED. However, it was reported that this scenario is in fact
valid, thus making the patch both bogus and breaks userspace as well.
For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem
initialization[1].
[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347
Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net
Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection")
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/shm.c | 9 |
1 files changed, 2 insertions, 7 deletions
| @@ -1363,13 +1363,8 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, | |||
| 1363 | 1363 | ||
| 1364 | if (addr) { | 1364 | if (addr) { |
| 1365 | if (addr & (shmlba - 1)) { | 1365 | if (addr & (shmlba - 1)) { |
| 1366 | /* | 1366 | if (shmflg & SHM_RND) |
| 1367 | * Round down to the nearest multiple of shmlba. | 1367 | addr &= ~(shmlba - 1); /* round down */ |
| 1368 | * For sane do_mmap_pgoff() parameters, avoid | ||
| 1369 | * round downs that trigger nil-page and MAP_FIXED. | ||
| 1370 | */ | ||
| 1371 | if ((shmflg & SHM_RND) && addr >= shmlba) | ||
| 1372 | addr &= ~(shmlba - 1); | ||
| 1373 | else | 1368 | else |
| 1374 | #ifndef __ARCH_FORCE_SHMLBA | 1369 | #ifndef __ARCH_FORCE_SHMLBA |
| 1375 | if (addr & ~PAGE_MASK) | 1370 | if (addr & ~PAGE_MASK) |