aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Piggin <npiggin@suse.de>2007-03-16 17:38:10 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-03-16 22:25:04 -0400
commit00e9fa2d6421fbbefb4c02821a1e779a3ce47781 (patch)
treed5b57449b693f24ee106af062ca8c6bfcef6d1e7
parent0465fc0a1c42e18438d391f3a7e661493a9ad68e (diff)
[PATCH] mm: fix madvise infinine loop
madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin <npiggin@suse.de> Cc: Badari Pulavarty <pbadari@us.ibm.com> Acked-by: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--mm/madvise.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/mm/madvise.c b/mm/madvise.c
index 4e196155a0c3..77916e9fc52b 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma,
155 * Other filesystems return -ENOSYS. 155 * Other filesystems return -ENOSYS.
156 */ 156 */
157static long madvise_remove(struct vm_area_struct *vma, 157static long madvise_remove(struct vm_area_struct *vma,
158 struct vm_area_struct **prev,
158 unsigned long start, unsigned long end) 159 unsigned long start, unsigned long end)
159{ 160{
160 struct address_space *mapping; 161 struct address_space *mapping;
161 loff_t offset, endoff; 162 loff_t offset, endoff;
162 163
164 *prev = vma;
165
163 if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) 166 if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
164 return -EINVAL; 167 return -EINVAL;
165 168
@@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev,
199 error = madvise_behavior(vma, prev, start, end, behavior); 202 error = madvise_behavior(vma, prev, start, end, behavior);
200 break; 203 break;
201 case MADV_REMOVE: 204 case MADV_REMOVE:
202 error = madvise_remove(vma, start, end); 205 error = madvise_remove(vma, prev, start, end);
203 break; 206 break;
204 207
205 case MADV_WILLNEED: 208 case MADV_WILLNEED: