Commit 00e9fa2d6421fbbefb4c02821a1e779a3ce47781
Committed by
Linus Torvalds
Linus Torvalds
1 parent
0465fc0a1c
Exists in
master
and in
20 other branches
[PATCH] mm: fix madvise infinine loop
madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin <npiggin@suse.de> Cc: Badari Pulavarty <pbadari@us.ibm.com> Acked-by: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 4 additions and 1 deletions Side-by-side Diff
mm/madvise.c
| ... | ... | @@ -155,11 +155,14 @@ |
| 155 | 155 | * Other filesystems return -ENOSYS. |
| 156 | 156 | */ |
| 157 | 157 | static long madvise_remove(struct vm_area_struct *vma, |
| 158 | + struct vm_area_struct **prev, | |
| 158 | 159 | unsigned long start, unsigned long end) |
| 159 | 160 | { |
| 160 | 161 | struct address_space *mapping; |
| 161 | 162 | loff_t offset, endoff; |
| 162 | 163 | |
| 164 | + *prev = vma; | |
| 165 | + | |
| 163 | 166 | if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) |
| 164 | 167 | return -EINVAL; |
| 165 | 168 | |
| ... | ... | @@ -199,7 +202,7 @@ |
| 199 | 202 | error = madvise_behavior(vma, prev, start, end, behavior); |
| 200 | 203 | break; |
| 201 | 204 | case MADV_REMOVE: |
| 202 | - error = madvise_remove(vma, start, end); | |
| 205 | + error = madvise_remove(vma, prev, start, end); | |
| 203 | 206 | break; |
| 204 | 207 | |
| 205 | 208 | case MADV_WILLNEED: |