vm audit: add VM_DONTEXPAND to mmap for drivers that need it Drivers that register a ->fault handler, but do not range-check the offset argument, must set VM_DONTEXPAND in the vm_flags in order to prevent an expanding mremap from overflowing the resource. I've audited the tree and attempted to fix these problems (usually by adding VM_DONTEXPAND where it is not obvious). Signed-off-by: Nick Piggin <npiggin@suse.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 2f98735c9c24ea1f0d40a364d4e63611b689b795 [log] [tgz]
author: Nick Piggin <npiggin@suse.de> Sat Feb 02 03:08:53 2008 +0100
committer: Linus Torvalds <torvalds@linux-foundation.org> Mon Feb 04 07:55:38 2008 -0800
tree: a42b3802449af474d36cda3b6f9fb190a717defb
parent: fe2528b96b02173395f5a75e37714c07f3e25e73 [diff] [blame]
diff --git a/drivers/char/drm/drm_vm.c b/drivers/char/drm/drm_vm.c
index e8d50af..ef5e6b1 100644
--- a/drivers/char/drm/drm_vm.c
+++ b/drivers/char/drm/drm_vm.c

@@ -506,6 +506,7 @@
 	vma->vm_ops = &drm_vm_dma_ops;
 
 	vma->vm_flags |= VM_RESERVED;	/* Don't swap */
+	vma->vm_flags |= VM_DONTEXPAND;
 
 	vma->vm_file = filp;	/* Needed for drm_vm_open() */
 	drm_vm_open_locked(vma);
@@ -655,6 +656,7 @@
 		return -EINVAL;	/* This should never happen. */
 	}
 	vma->vm_flags |= VM_RESERVED;	/* Don't swap */
+	vma->vm_flags |= VM_DONTEXPAND;
 
 	vma->vm_file = filp;	/* Needed for drm_vm_open() */
 	drm_vm_open_locked(vma);
commit	2f98735c9c24ea1f0d40a364d4e63611b689b795	[log] [tgz]
author	Nick Piggin <npiggin@suse.de>	Sat Feb 02 03:08:53 2008 +0100
committer	Linus Torvalds <torvalds@linux-foundation.org>	Mon Feb 04 07:55:38 2008 -0800
tree	a42b3802449af474d36cda3b6f9fb190a717defb
parent	fe2528b96b02173395f5a75e37714c07f3e25e73 [diff] [blame]