From: Nick Piggin Date: Fri, 16 Mar 2007 21:38:10 +0000 (-0800) Subject: [PATCH] mm: fix madvise infinine loop X-Git-Tag: v2.6.21-rc5~102 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00e9fa2d6421fbbefb4c02821a1e779a3ce47781;p=linux-2.6 [PATCH] mm: fix madvise infinine loop madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin Cc: Badari Pulavarty Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/mm/madvise.c b/mm/madvise.c index 4e196155a0..77916e9fc5 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma, * Other filesystems return -ENOSYS. */ static long madvise_remove(struct vm_area_struct *vma, + struct vm_area_struct **prev, unsigned long start, unsigned long end) { struct address_space *mapping; loff_t offset, endoff; + *prev = vma; + if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB)) return -EINVAL; @@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev, error = madvise_behavior(vma, prev, start, end, behavior); break; case MADV_REMOVE: - error = madvise_remove(vma, start, end); + error = madvise_remove(vma, prev, start, end); break; case MADV_WILLNEED: