Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00e9fa2d authored by Nick Piggin's avatar Nick Piggin Committed by Linus Torvalds
Browse files

[PATCH] mm: fix madvise infinine loop 



madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the
call covers a region from the start of a vma, and extending past that vma.

Signed-off-by: default avatarNick Piggin <npiggin@suse.de>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Acked-by: default avatarHugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 0465fc0a

mm/madvise.c

+4 −1
Original line number Original line Diff line number Diff line
@@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma, 
 * Other filesystems return -ENOSYS.

 * Other filesystems return -ENOSYS.

 */

 */

static long madvise_remove(struct vm_area_struct *vma,

static long madvise_remove(struct vm_area_struct *vma,

				struct vm_area_struct **prev,

				unsigned long start, unsigned long end)

				unsigned long start, unsigned long end)

{

{

	struct address_space *mapping;

	struct address_space *mapping;

        loff_t offset, endoff;

        loff_t offset, endoff;





	*prev = vma;



	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))

	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))

		return -EINVAL;

		return -EINVAL;
@@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev, 
		error = madvise_behavior(vma, prev, start, end, behavior);

		error = madvise_behavior(vma, prev, start, end, behavior);

		break;

		break;

	case MADV_REMOVE:

	case MADV_REMOVE:

		error = madvise_remove(vma, start, end);

		error = madvise_remove(vma, prev, start, end);

		break;

		break;





	case MADV_WILLNEED:

	case MADV_WILLNEED: