Char/Misc fix for 5.4-rc5

This is a single char/misc driver fix (well, a binder fix to be specific) to resolve a reported issue by Jann. It's been in linux-next for a while with no reported issues. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXbSKbg8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+yk6wwCgwkxF667WQcJ2Eh9nE/9ZvDvrmlwAn3q2VmZM 94K3nJrFLohNgTBJ4SHG =d8Af -----END PGP SIGNATURE----- Merge tag 'char-misc-5.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull binder fix from Greg KH: "This is a single binder fix to resolve a reported issue by Jann. It's been in linux-next for a while with no reported issues" * tag 'char-misc-5.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: binder: Don't modify VMA bounds in ->mmap handler
2019-10-26 15:17:54 -04:00 · 2019-10-26 15:17:54 -04:00 · a03885d596
parent 0ecdd78c75 45d02f79b5
commit a03885d596
2 changed files with 4 additions and 9 deletions
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@ -97,10 +97,6 @@ DEFINE_SHOW_ATTRIBUTE(proc);
 #define SZ_1K                               0x400
 #endif

-#ifndef SZ_4M
-#define SZ_4M                               0x400000
-#endif
-
 #define FORBIDDEN_MMAP_FLAGS                (VM_WRITE)

 enum {
@ -5177,9 +5173,6 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
 	if (proc->tsk != current->group_leader)
 		return -EINVAL;

-	if ((vma->vm_end - vma->vm_start) > SZ_4M)
-		vma->vm_end = vma->vm_start + SZ_4M;
-
 	binder_debug(BINDER_DEBUG_OPEN_CLOSE,
 		     "%s: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
 		     __func__, proc->pid, vma->vm_start, vma->vm_end,
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@ -22,6 +22,7 @@
 #include <asm/cacheflush.h>
 #include <linux/uaccess.h>
 #include <linux/highmem.h>
+#include <linux/sizes.h>
 #include "binder_alloc.h"
 #include "binder_trace.h"

@ -689,7 +690,9 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
 	alloc->buffer = (void __user *)vma->vm_start;
 	mutex_unlock(&binder_alloc_mmap_lock);

-	alloc->pages = kcalloc((vma->vm_end - vma->vm_start) / PAGE_SIZE,
+	alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start,
+				   SZ_4M);
+	alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE,
 			       sizeof(alloc->pages[0]),
 			       GFP_KERNEL);
 	if (alloc->pages == NULL) {
@ -697,7 +700,6 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc,
 		failure_string = "alloc page array";
 		goto err_alloc_pages_failed;
 	}
-	alloc->buffer_size = vma->vm_end - vma->vm_start;

 	buffer = kzalloc(sizeof(*buffer), GFP_KERNEL);
 	if (!buffer) {