1 From 166258fc1e072a1dbcac678427291854d01f2163 Mon Sep 17 00:00:00 2001
2 From: Hugh Dickins <hughd@google.com>
3 Date: Tue, 20 Jun 2017 02:10:44 -0700
4 Subject: [PATCH 3/3] mm: fix new crash in unmapped_area_topdown()
6 commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.
8 Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
9 mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
10 end of unmapped_area_topdown(). Linus points out how MAP_FIXED
11 (which does not have to respect our stack guard gap intentions)
12 could result in gap_end below gap_start there. Fix that, and
13 the similar case in its alternative, unmapped_area().
15 Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
16 Reported-by: Dave Jones <davej@codemonkey.org.uk>
17 Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
18 Signed-off-by: Hugh Dickins <hughd@google.com>
19 Acked-by: Michal Hocko <mhocko@suse.com>
20 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
24 1 file changed, 4 insertions(+), 2 deletions(-)
26 diff --git a/mm/mmap.c b/mm/mmap.c
27 index d71a61e..145d3d5 100644
30 @@ -1813,7 +1813,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
31 /* Check if current node has a suitable gap */
32 if (gap_start > high_limit)
34 - if (gap_end >= low_limit && gap_end - gap_start >= length)
35 + if (gap_end >= low_limit &&
36 + gap_end > gap_start && gap_end - gap_start >= length)
39 /* Visit right subtree if it looks promising */
40 @@ -1916,7 +1917,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
41 gap_end = vm_start_gap(vma);
42 if (gap_end < low_limit)
44 - if (gap_start <= high_limit && gap_end - gap_start >= length)
45 + if (gap_start <= high_limit &&
46 + gap_end > gap_start && gap_end - gap_start >= length)
49 /* Visit left subtree if it looks promising */