On 10/10/18 5:27 PM, Jann Horn wrote: > Daniel Micay reports that attempting to use MAP_FIXED_NOREPLACE in an > application causes that application to randomly crash. The existing check > for handling MAP_FIXED_NOREPLACE looks up the first VMA that either > overlaps or follows the requested region, and then bails out if that VMA > overlaps *the start* of the requested region. It does not bail out if the > VMA only overlaps another part of the requested region. > > Fix it by checking that the found VMA only starts at or after the end of > the requested region, in which case there is no overlap. > > Reported-by: Daniel Micay <danielmicay@xxxxxxxxx> > Fixes: a4ff8e8620d3 ("mm: introduce MAP_FIXED_NOREPLACE") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jann Horn <jannh@xxxxxxxxxx> Good catch, thanks. Acked-by: Vlastimil Babka <vbabka@xxxxxxx> > --- > mm/mmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index 5f2b2b184c60..f7cd9cb966c0 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -1410,7 +1410,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, > if (flags & MAP_FIXED_NOREPLACE) { > struct vm_area_struct *vma = find_vma(mm, addr); > > - if (vma && vma->vm_start <= addr) > + if (vma && vma->vm_start < addr + len) > return -EEXIST; > } > >