Message ID | 20131118145528.2329a1ab@kryten (mailing list archive) |
---|---|
State | Accepted, archived |
Commit | 5a049f14902982c26538250bdc8d54156d357252 |
Headers | show |
On Sun, Nov 17, 2013 at 7:55 PM, Anton Blanchard <anton@samba.org> wrote: > > Commit fba2369e6ceb (mm: use vm_unmapped_area() on powerpc architecture) > has a bug in slice_scan_available() where we compare an unsigned long > (high_slices) against a shifted int. As a result, comparisons against > the top 32 bits of high_slices (representing the top 32TB) always > returns 0 and the top of our mmap region is clamped at 32TB > > This also breaks mmap randomisation since the randomised address is > always up near the top of the address space and it gets clamped down > to 32TB. > > Cc: stable@vger.kernel.org # v3.10+ > Signed-off-by: Anton Blanchard <anton@samba.org> > --- > > diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c > index 3e99c14..7ce9cf3 100644 > --- a/arch/powerpc/mm/slice.c > +++ b/arch/powerpc/mm/slice.c > @@ -258,7 +258,7 @@ static bool slice_scan_available(unsigned long addr, > slice = GET_HIGH_SLICE_INDEX(addr); > *boundary_addr = (slice + end) ? > ((slice + end) << SLICE_HIGH_SHIFT) : SLICE_LOW_TOP; > - return !!(available.high_slices & (1u << slice)); > + return !!(available.high_slices & (1ul << slice)); > } > } > Good catch, sorry about that... Acked-by: Michel Lespinasse <walken@google.com>
diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c index 3e99c14..7ce9cf3 100644 --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -258,7 +258,7 @@ static bool slice_scan_available(unsigned long addr, slice = GET_HIGH_SLICE_INDEX(addr); *boundary_addr = (slice + end) ? ((slice + end) << SLICE_HIGH_SHIFT) : SLICE_LOW_TOP; - return !!(available.high_slices & (1u << slice)); + return !!(available.high_slices & (1ul << slice)); } }
Commit fba2369e6ceb (mm: use vm_unmapped_area() on powerpc architecture) has a bug in slice_scan_available() where we compare an unsigned long (high_slices) against a shifted int. As a result, comparisons against the top 32 bits of high_slices (representing the top 32TB) always returns 0 and the top of our mmap region is clamped at 32TB This also breaks mmap randomisation since the randomised address is always up near the top of the address space and it gets clamped down to 32TB. Cc: stable@vger.kernel.org # v3.10+ Signed-off-by: Anton Blanchard <anton@samba.org> ---