diff options
author | Nick Piggin <npiggin@suse.de> | 2008-02-02 03:08:53 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-02-04 07:55:38 -0800 |
commit | 2f98735c9c24ea1f0d40a364d4e63611b689b795 (patch) | |
tree | a42b3802449af474d36cda3b6f9fb190a717defb /sound/oss | |
parent | fe2528b96b02173395f5a75e37714c07f3e25e73 (diff) | |
download | linux-3.10-2f98735c9c24ea1f0d40a364d4e63611b689b795.tar.gz linux-3.10-2f98735c9c24ea1f0d40a364d4e63611b689b795.tar.bz2 linux-3.10-2f98735c9c24ea1f0d40a364d4e63611b689b795.zip |
vm audit: add VM_DONTEXPAND to mmap for drivers that need it
Drivers that register a ->fault handler, but do not range-check the
offset argument, must set VM_DONTEXPAND in the vm_flags in order to
prevent an expanding mremap from overflowing the resource.
I've audited the tree and attempted to fix these problems (usually by
adding VM_DONTEXPAND where it is not obvious).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'sound/oss')
-rw-r--r-- | sound/oss/via82cxxx_audio.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/sound/oss/via82cxxx_audio.c b/sound/oss/via82cxxx_audio.c index 5d3c0372df3..f95aa094675 100644 --- a/sound/oss/via82cxxx_audio.c +++ b/sound/oss/via82cxxx_audio.c @@ -2104,6 +2104,7 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, { struct via_info *card = vma->vm_private_data; struct via_channel *chan = &card->ch_out; + unsigned long max_bufs; struct page *dmapage; unsigned long pgoff; int rd, wr; @@ -2127,14 +2128,11 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, rd = card->ch_in.is_mapped; wr = card->ch_out.is_mapped; -#ifndef VIA_NDEBUG - { - unsigned long max_bufs = chan->frag_number; - if (rd && wr) max_bufs *= 2; - /* via_dsp_mmap() should ensure this */ - assert (pgoff < max_bufs); - } -#endif + max_bufs = chan->frag_number; + if (rd && wr) + max_bufs *= 2; + if (pgoff >= max_bufs) + return NOPAGE_SIGBUS; /* if full-duplex (read+write) and we have two sets of bufs, * then the playback buffers come first, sez soundcard.c */ |