As it is at the moment, sys_mprotect will dereference a null pointer
if you use it on a region that is contained within the first vma.  I
have a little program that demonstrates this (I'll post it if anyone
is interested).  What happens then is that the process hangs in
do_page_fault at the down_read on the mm->mmap_sem, since sys_mprotect
has done a down_write on mm->mmap_sem.

The problem is that mprotect_fixup isn't updating prev properly.  Thus
we can finish the main loop in sys_mprotect with prev == NULL.  This
has been the case since Christoph's cleanups went in.  Prior to that,
mprotect_fixup always set prev to something non-NULL.  I suspect that
not updating prev could also cause vmas to get dropped completely if
the region being mprotected spans more than one vma.

The patch below fixes the problem by making mprotect_fixup set prev to
a reasonable value in all circumstances.