UIO: Take offset into account when determining number of pages that can be mapped

If a UIO memory region does not start on a page boundary but straddles one,
the number of actual pages that overlap the memory region may be calculated
incorrectly because the offset isn't taken into account.  If userspace sets
the mmap length to offset+size, it may fail with -EINVAL if UIO thinks it's
trying to allocate too many pages.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: Hans J. Koch <hjk@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index 68a496557788e6e10f06783c130a102035e052ee..03efb065455fa6ef1e9db0d091db9bcad1960e12 100644 (file)
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -708,7 +708,8 @@ static int uio_mmap(struct file *filep, struct vm_area_struct *vma)
                return -EINVAL;
 
        requested_pages = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
-       actual_pages = (idev->info->mem[mi].size + PAGE_SIZE -1) >> PAGE_SHIFT;
+       actual_pages = ((idev->info->mem[mi].addr & ~PAGE_MASK)
+                       + idev->info->mem[mi].size + PAGE_SIZE -1) >> PAGE_SHIFT;
        if (requested_pages > actual_pages)
                return -EINVAL;