Merge tag 'powerpc-6.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linuxHEAD master

Pull powerpc fixes from Madhavan Srinivasan: - a couple of fixes for out of bounds issues in memtrace and vas Thanks to Ritesh Harjani (IBM), Haren Myneni, and Jonathan Greental * tag 'powerpc-6.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
author: Linus Torvalds <torvalds@linux-foundation.org> 2025-06-09 20:06:58 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> 2025-06-09 20:06:58 -0700
commit: f09079bd04a924c72d555cd97942d5f8d7eca98c (patch)
tree: 3db88eab0771fde1d4660416bb54a3486a360651
parent: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 (diff)
parent: 0d67f0dee6c9176bc09a5482dd7346e3a0f14d0b (diff)
download: linux-master.tar.gz
2 files changed, 15 insertions, 2 deletions
diff --git a/arch/powerpc/platforms/book3s/vas-api.c b/arch/powerpc/platforms/book3s/vas-api.c
index 0b6365d85d1171..dc6f75d3ac6ef7 100644
--- a/arch/powerpc/platforms/book3s/vas-api.c
+++ b/arch/powerpc/platforms/book3s/vas-api.c
@@ -521,6 +521,15 @@ static int coproc_mmap(struct file *fp, struct vm_area_struct *vma)
 		return -EINVAL;
 	}
 
+	/*
+	 * Map complete page to the paste address. So the user
+	 * space should pass 0ULL to the offset parameter.
+	 */
+	if (vma->vm_pgoff) {
+		pr_debug("Page offset unsupported to map paste address\n");
+		return -EINVAL;
+	}
+
 	/* Ensure instance has an open send window */
 	if (!txwin) {
 		pr_err("No send window open?\n");
diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
index 4ac9808e55a44d..2ea30b34335415 100644
--- a/arch/powerpc/platforms/powernv/memtrace.c
+++ b/arch/powerpc/platforms/powernv/memtrace.c
@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf,
 static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)
 {
 	struct memtrace_entry *ent = filp->private_data;
+	unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
+	unsigned long vma_nrpages = vma_pages(vma);
 
-	if (ent->size < vma->vm_end - vma->vm_start)
+	/* The requested page offset should be within object's page count */
+	if (vma->vm_pgoff >= ent_nrpages)
 		return -EINVAL;
 
-	if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
+	/* The requested mapping range should remain within the bounds */
+	if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
 		return -EINVAL;
 
 	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
author	Linus Torvalds <torvalds@linux-foundation.org>	2025-06-09 20:06:58 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	2025-06-09 20:06:58 -0700
commit	f09079bd04a924c72d555cd97942d5f8d7eca98c (patch)
tree	3db88eab0771fde1d4660416bb54a3486a360651
parent	19272b37aa4f83ca52bdf9c16d5d81bdd1354494 (diff)
parent	0d67f0dee6c9176bc09a5482dd7346e3a0f14d0b (diff)
download	linux-master.tar.gz