Message ID | 1436247946-16292-1-git-send-email-imunsie@au.ibm.com (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Michael Ellerman |
Headers | show |
On Tue, 2015-07-07 at 05:45:45 UTC, Ian Munsie wrote: > From: Ian Munsie <imunsie@au1.ibm.com> > > It was discovered that if a process mmaped their problem state area they > were able to access one page more than expected, potentially allowing > them to access the problem state area of an unrelated process. > > This was due to a simple off by one error in the mmap fault handler > introduced in 0712dc7e73e59d79bcead5d5520acf4e9e917e87 ("cxl: Fix issues > when unmapping contexts"), which is fixed in this patch. > > Cc: stable@vger.kernel.org > Fixes: 0712dc7e73e5 ("cxl: Fix issues when unmapping contexts") > Signed-off-by: Ian Munsie <imunsie@au1.ibm.com> Applied to powerpc fixes, thanks. https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=10a5894f2dedd8a26b3132497445b314c0d952c4 cheers
diff --git a/drivers/misc/cxl/context.c b/drivers/misc/cxl/context.c index 2a4c80a..6c1ce51 100644 --- a/drivers/misc/cxl/context.c +++ b/drivers/misc/cxl/context.c @@ -113,11 +113,11 @@ static int cxl_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) if (ctx->afu->current_mode == CXL_MODE_DEDICATED) { area = ctx->afu->psn_phys; - if (offset > ctx->afu->adapter->ps_size) + if (offset >= ctx->afu->adapter->ps_size) return VM_FAULT_SIGBUS; } else { area = ctx->psn_phys; - if (offset > ctx->psn_size) + if (offset >= ctx->psn_size) return VM_FAULT_SIGBUS; }