> To fix this bug, it is necessary to compare "off" plus "len" > with "off" by units of "off_t". The patch is here: > > Signed-off-by: Naotaka Hamaguchi <n.hamaguchi@xxxxxxxxxxxxxx> > --- > mm/mmap.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index eae90af..e74e736 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -948,6 +948,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, > vm_flags_t vm_flags; > int error; > unsigned long reqprot = prot; > + off_t off = pgoff << PAGE_SHIFT; > > /* > * Does the application expect PROT_READ to imply PROT_EXEC? > @@ -971,7 +972,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, > return -ENOMEM; > > /* offset overflow? */ > - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff) > + if ((off + len) < off) > return -EOVERFLOW; Hmm... pgoff doesn't make actual overflow. do_mmap_pgoff() can calculate big value. We have no reason to make artificial limit. Why don't you meke a overflow check in sys_mmap()? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/ Don't email: <a href