[PATCH] mm: fix madvise infinine loop madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the call covers a region from the start of a vma, and extending past that vma. Signed-off-by: Nick Piggin <npiggin@suse.de> Cc: Badari Pulavarty <pbadari@us.ibm.com> Acked-by: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 00e9fa2d6421fbbefb4c02821a1e779a3ce47781 [log] [tgz]
author: Nick Piggin <npiggin@suse.de> Fri Mar 16 13:38:10 2007 -0800
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> Fri Mar 16 19:25:04 2007 -0700
tree: d5b57449b693f24ee106af062ca8c6bfcef6d1e7
parent: 0465fc0a1c42e18438d391f3a7e661493a9ad68e [diff] [blame]
diff --git a/mm/madvise.c b/mm/madvise.c
index 4e19615..77916e9f 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c

@@ -155,11 +155,14 @@
  * Other filesystems return -ENOSYS.
  */
 static long madvise_remove(struct vm_area_struct *vma,
+				struct vm_area_struct **prev,
 				unsigned long start, unsigned long end)
 {
 	struct address_space *mapping;
         loff_t offset, endoff;
 
+	*prev = vma;
+
 	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
 		return -EINVAL;
 
@@ -199,7 +202,7 @@
 		error = madvise_behavior(vma, prev, start, end, behavior);
 		break;
 	case MADV_REMOVE:
-		error = madvise_remove(vma, start, end);
+		error = madvise_remove(vma, prev, start, end);
 		break;
 
 	case MADV_WILLNEED:
commit	00e9fa2d6421fbbefb4c02821a1e779a3ce47781	[log] [tgz]
author	Nick Piggin <npiggin@suse.de>	Fri Mar 16 13:38:10 2007 -0800
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	Fri Mar 16 19:25:04 2007 -0700
tree	d5b57449b693f24ee106af062ca8c6bfcef6d1e7
parent	0465fc0a1c42e18438d391f3a7e661493a9ad68e [diff] [blame]