diff options
author | Nick Piggin <npiggin@suse.de> | 2007-03-16 17:38:10 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-03-16 22:25:04 -0400 |
commit | 00e9fa2d6421fbbefb4c02821a1e779a3ce47781 (patch) | |
tree | d5b57449b693f24ee106af062ca8c6bfcef6d1e7 | |
parent | 0465fc0a1c42e18438d391f3a7e661493a9ad68e (diff) |
[PATCH] mm: fix madvise infinine loop
madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the
call covers a region from the start of a vma, and extending past that vma.
Signed-off-by: Nick Piggin <npiggin@suse.de>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | mm/madvise.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/mm/madvise.c b/mm/madvise.c index 4e196155a0c3..77916e9fc52b 100644 --- a/mm/madvise.c +++ b/mm/madvise.c | |||
@@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma, | |||
155 | * Other filesystems return -ENOSYS. | 155 | * Other filesystems return -ENOSYS. |
156 | */ | 156 | */ |
157 | static long madvise_remove(struct vm_area_struct *vma, | 157 | static long madvise_remove(struct vm_area_struct *vma, |
158 | struct vm_area_struct **prev, | ||
158 | unsigned long start, unsigned long end) | 159 | unsigned long start, unsigned long end) |
159 | { | 160 | { |
160 | struct address_space *mapping; | 161 | struct address_space *mapping; |
161 | loff_t offset, endoff; | 162 | loff_t offset, endoff; |
162 | 163 | ||
164 | *prev = vma; | ||
165 | |||
163 | if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) | 166 | if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) |
164 | return -EINVAL; | 167 | return -EINVAL; |
165 | 168 | ||
@@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev, | |||
199 | error = madvise_behavior(vma, prev, start, end, behavior); | 202 | error = madvise_behavior(vma, prev, start, end, behavior); |
200 | break; | 203 | break; |
201 | case MADV_REMOVE: | 204 | case MADV_REMOVE: |
202 | error = madvise_remove(vma, start, end); | 205 | error = madvise_remove(vma, prev, start, end); |
203 | break; | 206 | break; |
204 | 207 | ||
205 | case MADV_WILLNEED: | 208 | case MADV_WILLNEED: |