Commit f09079bd authored Jun 09, 2025 by Linus Torvalds

Merge tag 'powerpc-6.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Madhavan Srinivasan:

 - a couple of fixes for out of bounds issues in memtrace and vas

Thanks to Ritesh Harjani (IBM), Haren Myneni, and Jonathan Greental

* tag 'powerpc-6.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
  powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap

parents 19272b37 0d67f0de

arch/powerpc/platforms/book3s/vas-api.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -521,6 +521,15 @@ static int coproc_mmap(struct file fp, struct vm_area_struct vma)
		return -EINVAL;
		}

		/*
		* Map complete page to the paste address. So the user
		* space should pass 0ULL to the offset parameter.
		*/
		if (vma->vm_pgoff) {
		pr_debug("Page offset unsupported to map paste address\n");
		return -EINVAL;
		}

		/* Ensure instance has an open send window */
		if (!txwin) {
		pr_err("No send window open?\n");

arch/powerpc/platforms/powernv/memtrace.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file filp, char __user ubuf,
		static int memtrace_mmap(struct file filp, struct vm_area_struct vma)
		{
		struct memtrace_entry *ent = filp->private_data;
		unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
		unsigned long vma_nrpages = vma_pages(vma);

		if (ent->size < vma->vm_end - vma->vm_start)
		/* The requested page offset should be within object's page count */
		if (vma->vm_pgoff >= ent_nrpages)
		return -EINVAL;

		if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
		/* The requested mapping range should remain within the bounds */
		if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
		return -EINVAL;

		vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);