redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity

[PATCH] mm: fix madvise infinine loop

Browse source 
madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the
call covers a region from the start of a vma, and extending past that vma.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Nick Piggin 2007-03-16 13:38:10 -08:00 committed by Linus Torvalds
parent 0465fc0a1c
commit 00e9fa2d64
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
mm/madvise.c
View file

@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma,
* Other filesystems return -ENOSYS. * Other filesystems return -ENOSYS.
*/ */
static long madvise_remove(struct vm_area_struct *vma, static long madvise_remove(struct vm_area_struct *vma,
struct vm_area_struct **prev,
unsigned long start, unsigned long end) unsigned long start, unsigned long end)
{ {
struct address_space *mapping; struct address_space *mapping;
loff_t offset, endoff; loff_t offset, endoff;
*prev = vma;
if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
return -EINVAL; return -EINVAL;
@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev,
error = madvise_behavior(vma, prev, start, end, behavior); error = madvise_behavior(vma, prev, start, end, behavior);
break; break;
case MADV_REMOVE: case MADV_REMOVE:
error = madvise_remove(vma, start, end); error = madvise_remove(vma, prev, start, end);
break; break;
case MADV_WILLNEED: case MADV_WILLNEED: