mm: fix madvise infinine loop

madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin <npiggin@suse.de> Cc: Badari Pulavarty <pbadari@us.ibm.com> Acked-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Nick Piggin <npiggin@suse.de> 2007-03-16 13:38:10 -0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2007-03-23 12:49:22 -0700
commit: 522850039c6c8a7ff8df8f9b6b118141aca50d62 (patch)
tree: d67638d3a0156ab1adcb57c51f45614bd459c0f0
parent: 7639e962234c76031d1ddf436def7fd9602be560 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/mm/madvise.c b/mm/madvise.c
index 4e196155a0c..77916e9fc52 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -155,11 +155,14 @@ static long madvise_dontneed(struct vm_area_struct * vma,
  * Other filesystems return -ENOSYS.
  */
 static long madvise_remove(struct vm_area_struct *vma,
+				struct vm_area_struct **prev,
 				unsigned long start, unsigned long end)
 {
 	struct address_space *mapping;
         loff_t offset, endoff;
 
+	*prev = vma;
+
 	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
 		return -EINVAL;
 
@@ -199,7 +202,7 @@ madvise_vma(struct vm_area_struct *vma, struct vm_area_struct **prev,
 		error = madvise_behavior(vma, prev, start, end, behavior);
 		break;
 	case MADV_REMOVE:
-		error = madvise_remove(vma, start, end);
+		error = madvise_remove(vma, prev, start, end);
 		break;
 
 	case MADV_WILLNEED:
author	Nick Piggin <npiggin@suse.de>	2007-03-16 13:38:10 -0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2007-03-23 12:49:22 -0700
commit	522850039c6c8a7ff8df8f9b6b118141aca50d62 (patch)
tree	d67638d3a0156ab1adcb57c51f45614bd459c0f0
parent	7639e962234c76031d1ddf436def7fd9602be560 (diff)