We must prohibit page boundary crossing for kmap() addresses. vmap() addresses are limited by the length of the mapping, and compound pages are limited by the size of the page. These should probably all have test cases? v2: - Prevent a NULL pointer dereference when a vmalloc-range pointer doesn't have an associated allocation (me) - Report better offsets than "0" (Kees) Matthew Wilcox (Oracle) (3): mm/usercopy: Check kmap addresses properly mm/usercopy: Detect vmalloc overruns mm/usercopy: Detect compound page overruns arch/x86/include/asm/highmem.h | 1 + include/linux/highmem-internal.h | 10 ++++++++ mm/usercopy.c | 42 +++++++++++++++++++++++--------- 3 files changed, 42 insertions(+), 11 deletions(-) -- 2.32.0
