From: Ma Wupeng mawupeng1@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7TW89
--------------------------------
While testing mlock, we have a problem if the len of mlock is ULONG_MAX. The return value of mlock is zero. But nothing will be locked since the len in do_mlock overflows to zero due to the following code in mlock:
len = PAGE_ALIGN(len + (offset_in_page(start)));
The same problem happens in munlock.
Since TASK_SIZE is the maximum user space address. The start or len of mlock shouldn't be bigger than this. Function access_ok can be used to check this issue, so return -EINVAL if bigger.
Signed-off-by: Ma Wupeng mawupeng1@huawei.com --- mm/mlock.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/mm/mlock.c b/mm/mlock.c index 40b43f8740df..e90139d42f88 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -479,8 +479,6 @@ static int apply_vma_lock_flags(unsigned long start, size_t len, end = start + len; if (end < start) return -EINVAL; - if (end == start) - return 0; vma = vma_iter_load(&vmi); if (!vma) return -ENOMEM; @@ -574,9 +572,15 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla if (!can_do_mlock()) return -EPERM;
+ if (!len) + return 0; + len = PAGE_ALIGN(len + (offset_in_page(start))); start &= PAGE_MASK;
+ if (!len) + return -EINVAL; + lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; locked = len >> PAGE_SHIFT; @@ -634,8 +638,13 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)
start = untagged_addr(start);
+ if (!len) + return 0; + len = PAGE_ALIGN(len + (offset_in_page(start))); start &= PAGE_MASK; + if (!len) + return -EINVAL;
if (mmap_write_lock_killable(current->mm)) return -EINTR;