From: Jiri Pirko <jpirko@redhat.com>
Date: Mon, 23 Aug 2010 14:03:18 -0400
Subject: [mm] accept an abutting stack segment
Message-id: <20100823140317.GA15848@psychotron.brq.redhat.com>
Patchwork-id: 27774
O-Subject: [RHEL5.6 patch] CVE-2010-2240 BZ607858 mm: accept an abutting stack
	segment
Bugzilla: 607858
CVE: CVE-2010-2240
RH-Acked-by: Rik van Riel <riel@redhat.com>
RH-Acked-by: Larry Woodman <lwoodman@redhat.com>

BZ607858
https://bugzilla.redhat.com/show_bug.cgi?id=607858

Description:
Since we do not have vma->vm_prev in rhel5 using find_vma_prev instead.

Also, accept an abutting stack segment, since that happens naturally if
you split the stack with mlock or mprotect.

Upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0e8e50e20c837eeec8323bba7dcd25fe5479194c

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=2699433

Please review.

Jirka

Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/mm/memory.c b/mm/memory.c
index 997afd3..ef2f14f 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2363,11 +2363,20 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
 {
 	address &= PAGE_MASK;
 	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
-		address -= PAGE_SIZE;
-		if (find_vma(vma->vm_mm, address) != vma)
-			return -ENOMEM;
+		struct vm_area_struct *prev;
+
+		find_vma_prev(vma->vm_mm, address, &prev);
+
+		/*
+		 * Is there a mapping abutting this one below?
+		 *
+		 * That's only ok if it's the same stack mapping
+		 * that has gotten split..
+		 */
+		if (prev && prev->vm_end == address)
+			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
 
-		expand_stack(vma, address);
+		expand_stack(vma, address - PAGE_SIZE);
 	}
 	return 0;
 }