mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

mm: madvise: complete input validation before taking lock

Browse source 
In madvise(), there doesn't seem to be any reason for taking the
&current->mm->mmap_sem before start and len_in have been validated.
Incidentally, this removes the need for the out: label.

[akpm@linux-foundation.org: s/out_plug/out/, per David]
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Rasmus Villemoes 2013-04-29 15:08:23 -07:00 committed by Linus Torvalds
parent 4edd7ceff0
commit 84d96d8976
1 changed files with 21 additions and 22 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

43
mm/madvise.c
View file

@ -473,28 +473,28 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
if (!madvise_behavior_valid(behavior)) if (!madvise_behavior_valid(behavior))
return error; return error;
if (start & ~PAGE_MASK)
return error;
len = (len_in + ~PAGE_MASK) & PAGE_MASK;
/* Check to see whether len was rounded up from small -ve to zero */
if (len_in && !len)
return error;
end = start + len;
if (end < start)
return error;
error = 0;
if (end == start)
return error;
write = madvise_need_mmap_write(behavior); write = madvise_need_mmap_write(behavior);
if (write) if (write)
down_write(&current->mm->mmap_sem); down_write(&current->mm->mmap_sem);
else else
down_read(&current->mm->mmap_sem); down_read(&current->mm->mmap_sem);
if (start & ~PAGE_MASK)
goto out;
len = (len_in + ~PAGE_MASK) & PAGE_MASK;
/* Check to see whether len was rounded up from small -ve to zero */
if (len_in && !len)
goto out;
end = start + len;
if (end < start)
goto out;
error = 0;
if (end == start)
goto out;
/* /*
* If the interval [start,end) covers some unmapped address * If the interval [start,end) covers some unmapped address
* ranges, just ignore them, but return -ENOMEM at the end. * ranges, just ignore them, but return -ENOMEM at the end.
@ -509,14 +509,14 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
/* Still start < end. */ /* Still start < end. */
error = -ENOMEM; error = -ENOMEM;
if (!vma) if (!vma)
goto out_plug; goto out;
/* Here start < (end|vma->vm_end). */ /* Here start < (end|vma->vm_end). */
if (start < vma->vm_start) { if (start < vma->vm_start) {
unmapped_error = -ENOMEM; unmapped_error = -ENOMEM;
start = vma->vm_start; start = vma->vm_start;
if (start >= end) if (start >= end)
goto out_plug; goto out;
} }
/* Here vma->vm_start <= start < (end|vma->vm_end) */ /* Here vma->vm_start <= start < (end|vma->vm_end) */
@ -527,21 +527,20 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
/* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
error = madvise_vma(vma, &prev, start, tmp, behavior); error = madvise_vma(vma, &prev, start, tmp, behavior);
if (error) if (error)
goto out_plug; goto out;
start = tmp; start = tmp;
if (prev && start < prev->vm_end) if (prev && start < prev->vm_end)
start = prev->vm_end; start = prev->vm_end;
error = unmapped_error; error = unmapped_error;
if (start >= end) if (start >= end)
goto out_plug; goto out;
if (prev) if (prev)
vma = prev->vm_next; vma = prev->vm_next;
else /* madvise_remove dropped mmap_sem */ else /* madvise_remove dropped mmap_sem */
vma = find_vma(current->mm, start); vma = find_vma(current->mm, start);
} }
out_plug:
blk_finish_plug(&plug);
out: out:
blk_finish_plug(&plug);
if (write) if (write)
up_write(&current->mm->mmap_sem); up_write(&current->mm->mmap_sem);
else else