Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

[<zrlw () sina com>]

i think commit be83bbf80682 maybe has a problem: if file_mmap_size_max return 0 (not regular, not block, fmode & 
FMODE_UNSIGNED_OFFSET == true) , maxsize will be set to -len, correct? 
+static inline bool file_mmap_ok(struct file *file, struct inode *inode,
+               unsigned long pgoff, unsigned long len)
+{
+   u64 maxsize = file_mmap_size_max(file, inode);
+
+   if (maxsize && len > maxsize)
+       return false;
+   maxsize -= len;                                         <==  maxsize = -len when file_mmap_size_max return 0 
+   if (pgoff > maxsize >> PAGE_SHIFT)
+       return false;
+   return true;
+}
+