mm: madvise(): correct return code

The posix_madvise() function succeeds (and does nothing) when called with parameters (NULL, 0, -1); according to LSB tests, it should fail with EINVAL because -1 is not a valid flag. When called with a valid address and size, it correctly fails. So perform an initial check for valid flags first. Reported-by: Jiri Dluhos <jdluhos@novell.com> Signed-off-by: Nick Piggin <npiggin@suse.de> Reviewed-and-Tested-by: WANG Cong <xiyou.wangcong@gmail.com> Cc: Michael Kerrisk <mtk.manpages@googlemail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

mm: madvise(): correct return code
The posix_madvise() function succeeds (and does nothing) when called with parameters (NULL, 0, -1); according to LSB tests, it should fail with EINVAL because -1 is not a valid flag. When called with a valid address and size, it correctly fails. So perform an initial check for valid flags first. Reported-by: Jiri Dluhos <jdluhos@novell.com> Signed-off-by: Nick Piggin <npiggin@suse.de> Reviewed-and-Tested-by: WANG Cong <xiyou.wangcong@gmail.com> Cc: Michael Kerrisk <mtk.manpages@googlemail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Nick Piggin · Linus Torvalds
1 parent dab48dab37
Showing 1 changed file with 22 additions and 1 deletions Side-by-side Diff
mm/madvise.c
@@ -238,12 +238,30 @@
 		break;
  
 	default:
-		error = -EINVAL;
+		BUG();
 		break;
 	}
 	return error;
 }
  
+static int
+madvise_behavior_valid(int behavior)
+{
+	switch (behavior) {
+	case MADV_DOFORK:
+	case MADV_DONTFORK:
+	case MADV_NORMAL:
+	case MADV_SEQUENTIAL:
+	case MADV_RANDOM:
+	case MADV_REMOVE:
+	case MADV_WILLNEED:
+	case MADV_DONTNEED:
+		return 1;
+
+	default:
+		return 0;
+	}
+}
 /*
  * The madvise(2) system call.
  *
@@ -288,6 +306,9 @@
 	int error = -EINVAL;
 	int write;
 	size_t len;
+
+	if (!madvise_behavior_valid(behavior))
+		return error;
  
 	write = madvise_need_mmap_write(behavior);
 	if (write)
...	...	@@ -238,12 +238,30 @@
238	238	break;
239	239
240	240	default:
241		- error = -EINVAL;
	241	+ BUG();
242	242	break;
243	243	}
244	244	return error;
245	245	}
246	246
	247	+static int
	248	+madvise_behavior_valid(int behavior)
	249	+{
	250	+ switch (behavior) {
	251	+ case MADV_DOFORK:
	252	+ case MADV_DONTFORK:
	253	+ case MADV_NORMAL:
	254	+ case MADV_SEQUENTIAL:
	255	+ case MADV_RANDOM:
	256	+ case MADV_REMOVE:
	257	+ case MADV_WILLNEED:
	258	+ case MADV_DONTNEED:
	259	+ return 1;
	260	+
	261	+ default:
	262	+ return 0;
	263	+ }
	264	+}
247	265	/*
248	266	* The madvise(2) system call.
249	267	*
...	...	@@ -288,6 +306,9 @@
288	306	int error = -EINVAL;
289	307	int write;
290	308	size_t len;
	309	+
	310	+ if (!madvise_behavior_valid(behavior))
	311	+ return error;
291	312
292	313	write = madvise_need_mmap_write(behavior);
293	314	if (write)