Commit 84d96d89 authored by Rasmus Villemoes's avatar Rasmus Villemoes Committed by Linus Torvalds

mm: madvise: complete input validation before taking lock

In madvise(), there doesn't seem to be any reason for taking the
&current->mm->mmap_sem before start and len_in have been validated.
Incidentally, this removes the need for the out: label.

[akpm@linux-foundation.org: s/out_plug/out/, per David]
Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: default avatarKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: default avatarDavid Rientjes <rientjes@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 4edd7cef
...@@ -473,27 +473,27 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior) ...@@ -473,27 +473,27 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
if (!madvise_behavior_valid(behavior)) if (!madvise_behavior_valid(behavior))
return error; return error;
write = madvise_need_mmap_write(behavior);
if (write)
down_write(&current->mm->mmap_sem);
else
down_read(&current->mm->mmap_sem);
if (start & ~PAGE_MASK) if (start & ~PAGE_MASK)
goto out; return error;
len = (len_in + ~PAGE_MASK) & PAGE_MASK; len = (len_in + ~PAGE_MASK) & PAGE_MASK;
/* Check to see whether len was rounded up from small -ve to zero */ /* Check to see whether len was rounded up from small -ve to zero */
if (len_in && !len) if (len_in && !len)
goto out; return error;
end = start + len; end = start + len;
if (end < start) if (end < start)
goto out; return error;
error = 0; error = 0;
if (end == start) if (end == start)
goto out; return error;
write = madvise_need_mmap_write(behavior);
if (write)
down_write(&current->mm->mmap_sem);
else
down_read(&current->mm->mmap_sem);
/* /*
* If the interval [start,end) covers some unmapped address * If the interval [start,end) covers some unmapped address
...@@ -509,14 +509,14 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior) ...@@ -509,14 +509,14 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
/* Still start < end. */ /* Still start < end. */
error = -ENOMEM; error = -ENOMEM;
if (!vma) if (!vma)
goto out_plug; goto out;
/* Here start < (end|vma->vm_end). */ /* Here start < (end|vma->vm_end). */
if (start < vma->vm_start) { if (start < vma->vm_start) {
unmapped_error = -ENOMEM; unmapped_error = -ENOMEM;
start = vma->vm_start; start = vma->vm_start;
if (start >= end) if (start >= end)
goto out_plug; goto out;
} }
/* Here vma->vm_start <= start < (end|vma->vm_end) */ /* Here vma->vm_start <= start < (end|vma->vm_end) */
...@@ -527,21 +527,20 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior) ...@@ -527,21 +527,20 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
/* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
error = madvise_vma(vma, &prev, start, tmp, behavior); error = madvise_vma(vma, &prev, start, tmp, behavior);
if (error) if (error)
goto out_plug; goto out;
start = tmp; start = tmp;
if (prev && start < prev->vm_end) if (prev && start < prev->vm_end)
start = prev->vm_end; start = prev->vm_end;
error = unmapped_error; error = unmapped_error;
if (start >= end) if (start >= end)
goto out_plug; goto out;
if (prev) if (prev)
vma = prev->vm_next; vma = prev->vm_next;
else /* madvise_remove dropped mmap_sem */ else /* madvise_remove dropped mmap_sem */
vma = find_vma(current->mm, start); vma = find_vma(current->mm, start);
} }
out_plug:
blk_finish_plug(&plug);
out: out:
blk_finish_plug(&plug);
if (write) if (write)
up_write(&current->mm->mmap_sem); up_write(&current->mm->mmap_sem);
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment